Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi

Overview

General Information

Sample name:SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi
Analysis ID:1505009
MD5:305302b116cf1affd6662385b845fad7
SHA1:de4d88c3f376f749b21a8eeb572a80bc481637b0
SHA256:fab822cc1d5b10a959de748250badb0f1244964942814046b74c41b8887c8c00
Tags:msi
Infos:

Detection

AteraAgent
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Installs Task Scheduler Managed Wrapper
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 3568 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6516 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 4512 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6BEB905C8354112D7E7BC21C1881079B MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 7120 cmdline: rundll32.exe "C:\Windows\Installer\MSIBA36.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4373156 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 1600 cmdline: rundll32.exe "C:\Windows\Installer\MSIBCE7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4373765 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 5244 cmdline: rundll32.exe "C:\Windows\Installer\MSICC98.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4377781 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 6720 cmdline: rundll32.exe "C:\Windows\Installer\MSIE45B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4383859 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 6716 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 98B428FB0154F0966007DE80009BCB6E E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 4456 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 1772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 6972 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 2952 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 5404 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="daniteixeiraca@gmail.com" /CompanyId="4" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000GIFLyIAP" /AgentId="7a7e43f1-0afc-4f50-8c61-339131846a69" MD5: 477293F80461713D51A98A24023D45E8)
    • msiexec.exe (PID: 5052 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 41990507C01A0A78CED2BEEF0F9E4459 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 320 cmdline: rundll32.exe "C:\Windows\Installer\MSIB567.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4437562 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
  • AteraAgent.exe (PID: 5448 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 6844 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7060 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "352bade9-39fc-4189-bf6a-41f552dd6fba" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000GIFLyIAP MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 4816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 1848 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "34d7bbb1-2b8f-4bcd-964e-f5acf144e140" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000GIFLyIAP MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 2952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 4712 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "47d6379b-c658-4e52-a133-db8b6d46f0d9" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000GIFLyIAP MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 5304 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "8cc942ae-3bdb-4222-9453-2ed70848cfc7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000GIFLyIAP MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2072 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 6540 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageMonitoring.exe (PID: 6716 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "585ea9f2-ff62-42b1-8621-32f89cbd700f" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000GIFLyIAP MD5: B50005A1A62AFA85240D1F65165856EB)
      • conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 4524 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 6612 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7504 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "207c764f-7b5e-4361-b17c-c2a6bd7d6267" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000GIFLyIAP MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7588 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 7656 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageUpgradeAgent.exe (PID: 7696 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "4e65690f-3e0c-4d9e-964f-8895324bb3ff" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000GIFLyIAP MD5: 6095B43FA565DA44E7A818CFB4BACBA2)
      • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 5772 cmdline: "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart MD5: E5DA170027542E25EDE42FC54C929077)
    • AgentPackageTicketing.exe (PID: 7780 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "f721374f-3fe2-4b5f-8eec-11d640442926" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000GIFLyIAP MD5: 38D0C4B048371940F8091F7237A4CAFC)
      • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageSTRemote.exe (PID: 7812 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "e356d6d4-7cbe-4df1-bcc8-05bbf73f1e8a" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000GIFLyIAP MD5: 00A4D22D776D110ADCC63F0C567131C6)
      • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageInternalPoller.exe (PID: 7972 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "36f22a95-55e4-49cb-a2d9-ea5984df366a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000GIFLyIAP MD5: 01807774F043028EC29982A62FA75941)
      • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageOsUpdates.exe (PID: 8084 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "03c91351-843b-4c54-8a6f-6ddae72fa65a" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000GIFLyIAP MD5: C0C8815ACF3A7BD323512DFEA1B0ABF0)
      • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageHeartbeat.exe (PID: 8140 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "1d983d41-867d-46f7-858b-ce7cf9dfe8cc" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000GIFLyIAP MD5: 797C9554EC56FD72EBB3F6F6BEF67FB5)
      • conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageProgramManagement.exe (PID: 4508 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "8e1a3aa9-ed84-4ede-9655-ef0091e8bc20" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000GIFLyIAP MD5: 6E034C46991A649567D61B8124D6E59F)
      • conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • sppsvc.exe (PID: 3836 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 7228 cmdline: C:\Windows\System32\svchost.exe -k smphost MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • AgentPackageUpgradeAgent.exe (PID: 7912 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun MD5: 6095B43FA565DA44E7A818CFB4BACBA2)
    • conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Temp\~DFCE3F0DE558344BD6.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.logJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Windows\Temp\~DF4DE34DAD7D3601C7.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Windows\Temp\~DF5E319E7646B18B95.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 81 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000028.00000003.2605412856.000002172A390000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              00000022.00000002.2391278461.00000269FE9F5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                0000000E.00000002.2602123621.0000027B7FC7F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  0000002B.00000002.2926559409.00000244864C5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    00000039.00000003.2900305278.0000013FED555000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 364 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      45.2.AgentPackageTicketing.exe.1cb82f00000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        45.2.AgentPackageTicketing.exe.1cb82f00000.1.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                          53.2.AgentPackageOsUpdates.exe.2944dd50000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            25.2.AteraAgent.exe.218004a6de0.0.raw.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                              45.0.AgentPackageTicketing.exe.1cb82700000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                                Click to see the 17 entries

                                Sigma Signatures

                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2072, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 6540, ProcessName: cscript.exe
                                Sigma detected: Net.exe Execution
                                Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 98B428FB0154F0966007DE80009BCB6E E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6716, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 4456, ProcessName: net.exe
                                Sigma detected: Stop Windows Service Via Net.EXE
                                Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 98B428FB0154F0966007DE80009BCB6E E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6716, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 4456, ProcessName: net.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k smphost, CommandLine: C:\Windows\System32\svchost.exe -k smphost, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k smphost, ProcessId: 7228, ProcessName: svchost.exe

                                Suricata Signatures

                                No Suricata rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: 42b8c6.rbf (copy)ReversingLabs: Detection: 21%
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 21%
                                Multi AV Scanner detection for submitted file
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiReversingLabs: Detection: 21%
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.8% probability
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDF4E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,34_2_00007FF89FDF4E20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDF4DE0 CryptReleaseContext,34_2_00007FF89FDF4DE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDF4BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,34_2_00007FF89FDF4BC0
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000022.00000002.2388833628.00000269FDBC2000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Hosting/Release/net6.0/Microsoft.Extensions.Hosting.pdb source: Microsoft.Extensions.Hosting.dll.25.dr
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.2121397249.000002C5AC432000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb= source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4F4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.2269430575.0000013F41DF2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3732158656.000001CB9B712000.00000002.00000001.01000000.0000004E.sdmp, AgentPackageHeartbeat.exe, 00000037.00000002.2754905148.000001DB5C752000.00000002.00000001.01000000.00000036.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2815798469.000002961D0B6000.00000002.00000001.01000000.00000043.sdmp, Atera.AgentPackage.Common.dll7.25.dr
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb< source: AgentPackageAgentInformation.exe, 00000013.00000000.2244442728.0000013F415E2000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002B.00000000.2617750941.00000244861C2000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000022.00000002.2389296880.00000269FDC82000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2382248089.00000269E51E2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 00000033.00000002.2782762236.00000215FE712000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/Release/net6.0/Microsoft.Extensions.Configuration.Abstractions.pdb source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 00000033.00000002.2792690357.00000215FEAE2000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.2063828795.0000000004534000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.00000000046DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D38000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbdq source: AgentPackageTicketing.exe, 0000002D.00000002.3732158656.000001CB9B712000.00000002.00000001.01000000.0000004E.sdmp, Atera.AgentPackage.Common.dll7.25.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466BD0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.2121397249.000002C5AC432000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdbD source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb:$ source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4AC000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466BD0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: System.Memory.dll3.25.dr
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 00000035.00000002.2802288315.0000029466AD2000.00000002.00000001.01000000.0000003E.sdmp
                                Source: Binary string: E:\A\_work\533\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: Microsoft.ApplicationInsights.dll.14.dr
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Hosting/Release/net6.0/Microsoft.Extensions.Hosting.pdbSHA256-@ source: Microsoft.Extensions.Hosting.dll.25.dr
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 00000033.00000000.2668715578.00000215FD612000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000E.00000002.2607658011.0000027B80002000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000E.00000002.2607658011.0000027B80002000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2390605428.00000269FDDD2000.00000002.00000001.01000000.00000023.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2389109771.00000269FDC42000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\AgentPackageProgramManagement\obj\Release\AgentPackageProgramManagement.pdb source: AgentPackageProgramManagement.exe, 0000003A.00000000.2687330507.000002961CC52000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb@[R source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AgentPackageProgramManagement.exe, 0000003A.00000002.2815237866.000002961D072000.00000002.00000001.01000000.00000041.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000013.00000000.2244442728.0000013F415E2000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/Release/net6.0/Microsoft.Extensions.Configuration.Abstractions.pdbSHA256 source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2388833628.00000269FDBC2000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.2063828795.0000000004534000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.00000000046DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D38000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdbs source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4F4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageOsUpdates.pdbs source: AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466C55000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdbSHA256 source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.25.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000013.00000002.2270233720.0000013F5A6F2000.00000002.00000001.01000000.00000019.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2716819083.000002D69C9B0000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: ]c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdb source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.25.dr
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256~ source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2270233720.0000013F5A6F2000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2390605428.00000269FDDD2000.00000002.00000001.01000000.00000023.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2716819083.000002D69C9B0000.00000002.00000001.01000000.00000032.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.PDB source: AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466BD0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2973229485.000002449F272000.00000002.00000001.01000000.00000049.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2973229485.000002449F272000.00000002.00000001.01000000.00000049.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466C4A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466BD0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466C55000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000035.00000000.2675329099.000002944D9B2000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\*nt.pdbH source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4F4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 00000033.00000002.2792690357.00000215FEAE2000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi
                                Source: Binary string: D:\a\1\s\AgentPackageHeartbeat\AgentPackageHeartbeat\obj\Release\AgentPackageHeartbeat.pdb source: AgentPackageHeartbeat.exe, 00000037.00000000.2679474183.000001DB5C312000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb4X source: AgentPackageHeartbeat.exe, 00000037.00000002.2754905148.000001DB5C752000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp
                                Source: Binary string: C:\buildAgent\work\1b72bc6dac87fa71\code_drop\merge\chocolatey.pdb source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdbPljl \l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 0000002D.00000000.2645318451.000001CB82702000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 00000035.00000002.2802288315.0000029466AD2000.00000002.00000001.01000000.0000003E.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.2063828795.0000000004534000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.00000000046DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D38000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000022.00000002.2382248089.00000269E51E2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\*.pdby source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4F4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.2269430575.0000013F41DF2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2815798469.000002961D0B6000.00000002.00000001.01000000.00000043.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdbE source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\533\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdbCW source: Microsoft.ApplicationInsights.dll.14.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4AC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466C3E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\exe\AgentPackageUpgradeAgent.pdbc source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4AC000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2405909260.00007FF89FF3A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.dr
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2164502453.000002C5C6A82000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4F4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 00000035.00000002.2739226591.000002944DD52000.00000002.00000001.01000000.00000033.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.2164502453.000002C5C6A82000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2389296880.00000269FDC82000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 0000002D.00000002.3319498796.000001CB82F02000.00000002.00000001.01000000.0000004D.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdba^{^ m^_CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 00000035.00000002.2739226591.000002944DD52000.00000002.00000001.01000000.00000033.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 00000033.00000002.2782762236.00000215FE712000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: .pdbE source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: m.pdb source: AteraAgent.exe, 00000019.00000002.2978934094.00000218695D4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256 source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Contracts\4.0.1.0\System.Diagnostics.Contracts.pdb source: System.Diagnostics.Contracts.dll.25.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 0000002D.00000000.2645318451.000001CB82702000.00000002.00000001.01000000.00000027.sdmp
                                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                Source: C:\Windows\System32\cscript.exeFile opened: c:
                                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848951FFFh13_2_00007FF848951EB6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848951FFFh13_2_00007FF848951E7E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848951FFFh13_2_00007FF848951E88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848951873h13_2_00007FF84895184E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848951A44h13_2_00007FF84895184E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848951873h13_2_00007FF848950C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848951A44h13_2_00007FF848950C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848951FFFh13_2_00007FF848950C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF84895227Bh13_2_00007FF848950C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848974ECBh14_2_00007FF848974C41
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF84898B562h14_2_00007FF84898B285
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848974ECBh14_2_00007FF848974DC8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848971FFFh14_2_00007FF848971EB6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848971873h14_2_00007FF848970C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848971A44h14_2_00007FF848970C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848971FFFh14_2_00007FF848970C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF84897227Bh14_2_00007FF848970C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF84896BDE2h25_2_00007FF84896BB8E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848954ECBh25_2_00007FF848954C41
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848954ECBh25_2_00007FF848954DC8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848951FFFh25_2_00007FF848951EB6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax25_2_00007FF848B71BE5
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848B72B10h25_2_00007FF848B72869
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848B74489h25_2_00007FF848B74384
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax25_2_00007FF848B71CF9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848951873h25_2_00007FF848950C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848951A44h25_2_00007FF848950C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848951FFFh25_2_00007FF848950C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF84895227Bh25_2_00007FF848950C58

                                Networking

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: 45.2.AgentPackageTicketing.exe.1cb82f00000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 19.0.AgentPackageAgentInformation.exe.13f415e0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 58.2.AgentPackageProgramManagement.exe.296365d0000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED
                                Source: Joe Sandbox ViewIP Address: 40.119.152.241 40.119.152.241
                                Source: Joe Sandbox ViewIP Address: 93.184.221.240 93.184.221.240
                                Source: Joe Sandbox ViewIP Address: 13.107.246.42 13.107.246.42
                                Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218000EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218000EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.5/AGENT.PACKAGE.WATCHDOG.ZIP
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218000EB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.000002180094C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEADREMOTE/6.0/AGENTPACKAGEADREMOTE.ZIP
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.000002180090C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.4/AGENTPACKAGEMARKETPLACE.ZIP
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIP
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218009B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE
                                Source: AteraAgent.exe, 0000000D.00000000.2121397249.000002C5AC432000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acontrol.atera.com/
                                Source: rundll32.exe, 00000005.00000002.2106152856.0000000005095000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67495000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67414000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67405000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67521000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004BF5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2269551322.0000013F4204F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2273338686.000001852EF6F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800584000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C2A0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C249000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C20D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E57EF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5409F6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2705317497.000002D684308000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000033.00000002.2716685556.0000021580125000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DA3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C2A0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C20D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E57EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agentapigateway-us.centralus.cloudapp.azure.com
                                Source: rundll32.exe, 00000005.00000002.2106152856.0000000005095000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67495000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67405000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67521000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004BF5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2269551322.0000013F4204F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2273338686.000001852EF6F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800584000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C249000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5409F6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2705317497.000002D684308000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000033.00000002.2716685556.0000021580125000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DA3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                                Source: AgentPackageHeartbeat.exe, 00000037.00000002.2762286308.000001DB5CEFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-heartbeat-cus.servicebus.windows.net
                                Source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486B68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blob.ams08prdstr06a.store.core.windows.net
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2579062937.0000027B66925000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67680000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F7AC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869AE8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2978934094.00000218694F0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi, SQLite.Interop.dll.14.dr, System.Memory.dll3.25.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67495000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6777D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FC5D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67405000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67521000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.000002180078D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800335000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218004B2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218003D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218004E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                                Source: AteraAgent.exe, 0000000D.00000002.2164936379.000002C5C6D28000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2160988199.000002C5AE23A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2579062937.0000027B66985000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2603432372.0000027B7FCC8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67680000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FCA4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F730000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.000002180033F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800267000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218004CD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218004B2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218005A6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.000002180023B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218003EB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869AB6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FC5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crto
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2579062937.0000027B66985000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67680000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F821000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869AB6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486B8E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486B8A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt)
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FC7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2603432372.0000027B7FCC8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FC7B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67680000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FCA4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2605293146.0000027B7FD3A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2270476521.0000013F5A7F6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2274234365.00000185476C0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2274234365.0000018547758000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869A8E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869A27000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F7AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crtR
                                Source: AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crta
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://cdn.rubyinstaller.org/archives/devkits/DevKit-mingw64-32-4.7.2-20130224-1151-sfx.exe
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://cdn.rubyinstaller.org/archives/devkits/DevKit-mingw64-64-4.7.2-20130224-1432-sfx.exe
                                Source: AteraAgent.exe, 0000000E.00000002.2577904826.0000027B001B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.2578123901.0000027B001DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869AE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digice
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C68CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                                Source: AteraAgent.exe, 00000019.00000002.2978934094.00000218694F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertA
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869AE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredI
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2579062937.0000027B66925000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67680000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F7AC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi, SQLite.Interop.dll.14.dr, System.Memory.dll3.25.dr, Microsoft.ApplicationInsights.dll.14.dr, Microsoft.Extensions.Configuration.EnvironmentVariables.dll.25.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl9
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6900000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C68CB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2164936379.000002C5C6D28000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6927000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FC5D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2605293146.0000027B7FD3A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F7AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2164936379.000002C5C6D28000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2160988199.000002C5AE23A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2579062937.0000027B66985000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2603432372.0000027B7FCC8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67495000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67680000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FCA4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6777D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67405000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67521000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F730000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.000002180033F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.000002180078D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800267000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800335000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218004CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FCA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67680000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F821000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869AB6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486B8E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486B8A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi, SQLite.Interop.dll.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FC7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2603432372.0000027B7FCDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2451150229.0000022654A82000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000020.00000003.2357657567.000002C3676DB000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000020.00000002.2363564209.000002C36770E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000020.00000003.2362461532.000002C36770E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000020.00000003.2357116382.000002C3676D3000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2391546431.00000269FEC60000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2908384954.000001D559010000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000002A.00000002.2720670855.000001B5593AE000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000002A.00000003.2716270321.000001B5593AE000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000002A.00000003.2704929724.000001B55937B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000002A.00000003.2687020015.000001B559373000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000002A.00000003.2717204547.000001B5593AE000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486B8E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2914256319.00000244862C9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4AC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486B8A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3733328798.000001CB9B8E2000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2722291632.000002D69CA6A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000033.00000002.2784580394.00000215FE8C4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 00000037.00000002.2778105972.000001DB75544000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.2603432372.0000027B7FCDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl5%KKs
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlg%3D
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C68CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/l~
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crl6
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6900000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2164936379.000002C5C6D28000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6927000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67495000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6777D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FC5D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67405000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2605293146.0000027B7FD3A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67521000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F7AC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.000002180078D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800335000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218004B2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218003D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218004E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2164936379.000002C5C6D28000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2160988199.000002C5AE23A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2579062937.0000027B66985000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2603432372.0000027B7FCC8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67680000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FCA4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F730000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.000002180033F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800267000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218004CD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218004B2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218005A6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.000002180023B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218003EB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869AB6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.2605293146.0000027B7FD3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlH
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlOd
                                Source: AteraAgent.exe, 0000000D.00000002.2164936379.000002C5C6D28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlo
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C68CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/n
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlche
                                Source: AteraAgent.exe, 0000000E.00000002.2603432372.0000027B7FCDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                                Source: AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FC5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007A6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
                                Source: AgentPackageAgentInformation.exe, 00000013.00000000.2244442728.0000013F415E2000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmp, Install-ChocolateyZipPackage.ps1.58.drString found in binary or memory: http://download.sysinternals.com/Files/SysinternalsSuite.zip
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmp, Install-ChocolateyZipPackage.ps1.58.drString found in binary or memory: http://download.sysinternals.com/Files/SysinternalsSuitex64.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2607234597.0000027B7FE2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
                                Source: rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://learn-powershell.net/2013/02/08/powershell-and-events-object-events/
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2817292245.000002961D4E2000.00000002.00000001.01000000.00000044.sdmpString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
                                Source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.coI
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mirrors.kernel.org/sourceware/cygwin/
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/3
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/5
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/T
                                Source: AgentPackageHeartbeat.exe, 00000037.00000002.2762286308.000001DB5CEFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns-prod-dm2-az501.centralus.cloudapp.azure.com
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmp, Start-ChocolateyProcessAsAdmin.ps1.58.drString found in binary or memory: http://nsis.sourceforge.net/Docs/AppendixD.html
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digice
                                Source: AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2605293146.0000027B7FD3A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2579062937.0000027B66985000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FC5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                                Source: AteraAgent.exe, 0000000D.00000002.2164936379.000002C5C6D28000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2160988199.000002C5AE23A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2579062937.0000027B66985000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2603432372.0000027B7FCC8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67495000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67680000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FCA4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6777D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67405000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67521000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F730000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.000002180033F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.000002180078D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800267000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800335000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218004CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FC7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2603432372.0000027B7FCC8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FC7B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67680000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FCA4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2605293146.0000027B7FD3A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2270476521.0000013F5A7F6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2274234365.00000185476C0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2274234365.0000018547758000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869A8E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869A27000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2579062937.0000027B66925000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67680000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F7AC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869AE8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2978934094.00000218694F0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi, SQLite.Interop.dll.14.drString found in binary or memory: http://ocsp.digicert.com0C
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://ocsp.digicert.com0K
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://ocsp.digicert.com0N
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://ocsp.digicert.com0O
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2579062937.0000027B66985000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67680000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F821000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869AB6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486B8E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486B8A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://ocsp.digicert.com0X
                                Source: AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F7AC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2978934094.0000021869540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                                Source: AteraAgent.exe, 0000000E.00000002.2605293146.0000027B7FD3A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: AteraAgent.exe, 0000000E.00000002.2605293146.0000027B7FD3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt:
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C68CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                                Source: AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FC5D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F7AC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2991860336.0000021869A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                                Source: AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FC5D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2978934094.0000021869540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comu
                                Source: AteraAgent.exe, 0000000E.00000002.2577969344.0000027B001C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
                                Source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486B68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://packagesstore.blob.core.windows.net
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://poshcode.org/2513
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://poshcode.org/417
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://powershell.com/cs/blogs/tips/archive/2009/02/05/validating-a-url.aspx
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007AE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007A6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.atera.com
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67495000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67414000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218003D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218003EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://pwnt.co
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://rawcdn.githack.com/
                                Source: AteraAgent.exe, 0000000D.00000002.2160988199.000002C5AE23A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                                Source: AteraAgent.exe, 0000000D.00000002.2160988199.000002C5AE23A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                                Source: AteraAgent.exe, 0000000D.00000002.2160988199.000002C5AE23A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: rundll32.exe, 00000005.00000002.2106152856.0000000005074000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2106152856.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004B31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2269551322.0000013F41FA3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2273338686.000001852EEFF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C279000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C051000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5409B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486A31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3320390097.000001CB82F31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2705317497.000002D684298000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000033.00000002.2716685556.0000021580020000.00000004.00000800.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 00000037.00000002.2762286308.000001DB5CDE1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://somehwere/something.exe
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://somewhere.com/downloads/Install-WindowsImage.ps1
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://somewhere.com/downloads/Install-WindowsImagex64.ps1
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://somewhere123zzaafasd.invalid
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://somewhere123zzaafasd.invalidUAttempting
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://stackoverflow.com/a/13571471/18475
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296367E1000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://stackoverflow.com/a/15281070/18475
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershell
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://stackoverflow.com/questions/518181/too-many-automatic-redirections-were-attempted-error-messa
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296367E1000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://stanislavs.org/stopping-command-line-applications-programatically-with-ctrl-c-events-from-net
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://stexbar.googlecode.com/files/StExBar-1.8.3.msi
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://stexbar.googlecode.com/files/StExBar64-1.8.3.msi
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: http://wixtoolset.org
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004534000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.00000000046DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004534000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.00000000046DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/news/
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004534000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.00000000046DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/releases/
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2387693438.00000269FDA52000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: http://www.abit.com.tw/
                                Source: AteraAgent.exe, 0000000E.00000002.2577813257.0000027B00191000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
                                Source: Install-ChocolateyZipPackage.ps1.58.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                                Source: AteraAgent.exe, 0000000E.00000002.2577813257.0000027B00191000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
                                Source: AteraAgent.exe, 0000000E.00000002.2577904826.0000027B001B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
                                Source: AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F7AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67495000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6777D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67405000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67521000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.000002180078D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800335000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218004B2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218003D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218004E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2164936379.000002C5C6D28000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2160988199.000002C5AE23A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2579062937.0000027B66985000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2603432372.0000027B7FCC8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67680000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2602123621.0000027B7FCA4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F730000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.000002180033F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800267000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218004CD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218004B2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218005A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F7AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://www.gnu.org/
                                Source: AteraAgent.exe, 0000000E.00000002.2577860180.0000027B001AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: http://www.jeremyskinner.co.uk/2010/03/07/using-git-with-windows-powershell/
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmp, Start-ChocolateyProcessAsAdmin.ps1.58.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupexitcodes
                                Source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c=
                                Source: AteraAgent.exe, 0000000E.00000002.2577904826.0000027B001B3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2578123901.0000027B001DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
                                Source: AteraAgent.exe, 0000000E.00000002.2577969344.0000027B001C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
                                Source: AteraAgent.exe, 0000000E.00000002.2577969344.0000027B001C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
                                Source: AteraAgent.exe, 0000000D.00000002.2160988199.000002C5AE23A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                                Source: AteraAgent.exe, 0000000D.00000002.2160988199.000002C5AE23A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DD5D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DE1E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DABE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
                                Source: AgentPackageHeartbeat.exe, 00000037.00000000.2679474183.000001DB5C312000.00000002.00000001.01000000.0000002B.sdmpString found in binary or memory: https://1.servicebus.windows.net/
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C2C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C279000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.Pr
                                Source: rundll32.exe, 00000005.00000002.2106152856.0000000005074000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004BD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004534000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2106152856.0000000005074000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2106152856.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004B31000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.00000000046DC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2269551322.0000013F41FA3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2273338686.000001852EEFF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C249000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C20D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C279000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C051000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5409B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3320390097.000001CB82F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004534000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2106152856.0000000005074000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2106152856.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004B31000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.00000000046DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C2C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Prh
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Pro
                                Source: AgentPackageAgentInformation.exe, 00000013.00000002.2269551322.0000013F41FA3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2273338686.000001852EEFF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C249000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C20D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5409B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2705317497.000002D684298000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/A
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004534000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2106152856.0000000005074000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2106152856.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67495000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67405000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67521000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004B31000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.00000000046DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                                Source: AgentPackageAgentInformation.exe, 00000013.00000002.2269551322.0000013F41FA3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2273338686.000001852EEFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3320390097.000001CB82F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelp
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6717F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B670F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67121000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6717F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6717F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                                Source: AgentPackageSTRemote.exe, 0000002F.00000002.2705317497.000002D684298000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRemoteToolStatusWithAccount
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Trace
                                Source: AgentPackageInternalPoller.exe, 00000033.00000002.2716685556.0000021580020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/agentMonitoredDevices/7a7e43f1-0afc-4f50-8c61-339131846
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C279000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C279000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C2C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiComm
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C0E3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C2C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C249000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C20D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5409B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/7a7e43f1-0afc-4f50-8c61-339131846a69
                                Source: rundll32.exe, 00000005.00000002.2106152856.0000000005074000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2106152856.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                                Source: rundll32.exe, 00000005.00000002.2106152856.00000000050B6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004C16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67495000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67405000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.compI
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?You
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed&gui=trueShowing
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3320390097.000001CB82FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3320390097.000001CB82FAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3319498796.000001CB82F02000.00000002.00000001.01000000.0000004D.sdmpString found in binary or memory: https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageHeartbeat.exe, 00000037.00000002.2762286308.000001DB5CEEE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 00000037.00000002.2762286308.000001DB5CDE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://atera-agent-heartbeat-cus.servicebus.windows.net
                                Source: AgentPackageHeartbeat.exe, 00000037.00000002.2762286308.000001DB5CDE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://atera-agent-heartbeat-cus.servicebus.windows.net/
                                Source: AgentPackageHeartbeat.exe, 00000037.00000002.2776078400.000001DB754A0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 00000037.00000002.2762286308.000001DB5CDE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://atera-agent-heartbeat-cus.servicebus.windows.net/agentheartbeat/messages
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://bit.ly/1duJ9bM).
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://bit.ly/1g0R3Os).
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://bitbucket.org/jonforums/uru)
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://ch0.co/moderation
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://ch0.co/nexus2apikey).
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://ch0.co/packages_config
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://chocolatey.org).
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://chocolatey.org/
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://chocolatey.org/9https://push.chocolatey.org/Chttps://community.chocolatey.org/Qhttps://commu
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DABE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/co
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D906000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DABE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/compare
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://chocolatey.org/compare.
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DABE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/compare2
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DABE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/compareH
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://chocolatey.org/comparekThis
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/comparep
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DABE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/comparex7
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://chocolatey.org/contact.
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://community.chocolatey.org)
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DABE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/.
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/6ch
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/8
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/h
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/p
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://community.chocolatey.org/packages)
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://community.chocolatey.org/packages).
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://community.chocolatey.org/packages/autohotkey.portable
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmp, Install-ChocolateyZipPackage.ps1.58.drString found in binary or memory: https://community.chocolatey.org/packages/checksum)
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://community.chocolatey.org/packages/checksum.
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://community.chocolatey.org/packages/chocolatey-core.extension
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://community.chocolatey.org/packages/pik)
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://community.chocolatey.org/packages?q=id%3A.extension
                                Source: Microsoft.ApplicationInsights.dll.14.drString found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
                                Source: Microsoft.ApplicationInsights.dll.14.drString found in binary or memory: https://dc.services.visualstudio.com/v2/trackOStartRunnerEvent
                                Source: Microsoft.ApplicationInsights.dll.14.drString found in binary or memory: https://dc.services.visualstudio.com/v2/trackvhttps://dc.services.visualstudio.com/api/profiles/
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/choco/commands/uninstall
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/choco/setup#non-administrative-install
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/community-repository/community-packages-disclaimer
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/community-repository/moderation/
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/automatic-packages
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/automatic-packages#automatic-updater-au
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmp, Install-ChocolateyZipPackage.ps1.58.drString found in binary or memory: https://docs.chocolatey.org/en-us/create/automatic-packages)
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages#how-do-i-exclude-executables-from-getting-s
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages#how-do-i-set-up-shims-for-applications-that
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/create-packages#package-icon-guidelines
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-chocolateyunzipp
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-chocolateywebfile
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-osarchitecturewidth
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/get-toolslocation
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-binfile
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyenvironmentvariable
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyfileassociation
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyinstallpackage
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateypackage
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateypath
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyshortcut
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyvsixpackage
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/install-chocolateyzippackage
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/start-chocolateyprocessasadmin
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-binfile
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateyenvironmentvariable
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateypackage
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateyzippackage
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/features/extensions
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/features/private-cdn.
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/getting-started#overriding-default-install-directory-or-other-adva
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/create-custom-package-templates
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/mount-an-iso-in-chocolatey-package
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/parse-packageparameters-argument
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/parse-packageparameters-argument#step-3---use-core-c
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/information/legal.
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/troubleshooting
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.nuget.org/create/Nuspec-Reference.
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.nuget.org/create/versioning#creating-prerelease-packages
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://docs.nuget.org/create/versioning#specifying-version-ranges-in-.nuspec-files
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296367E1000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://gist.github.com/jvshahid/6fb2f91fa7fb1db23599
                                Source: AgentPackageOsUpdates.exe, 00000035.00000002.2802288315.0000029466AD2000.00000002.00000001.01000000.0000003E.sdmpString found in binary or memory: https://github.com/App-vNext/Polly.git
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2270233720.0000013F5A6F2000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2390605428.00000269FDDD2000.00000002.00000001.01000000.00000023.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2716819083.000002D69C9B0000.00000002.00000001.01000000.00000032.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://github.com/chocolatey/choco/blob/bfe351b7d10c798014efe4bfbb100b171db25099/src/chocolatey/inf
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://github.com/chocolatey/choco/issues/1800#issuecomment-484293844.
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://github.com/chocolatey/choco/issues/new/choose.
                                Source: Install-ChocolateyZipPackage.ps1.58.drString found in binary or memory: https://github.com/chocolatey/chocolatey
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey-coreteampackages
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey-test-environment
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey-workshop
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://github.com/chocolatey/shimgen/tree/master/shim.
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://github.com/dahlbyk/posh-git
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://github.com/dahlbyk/posh-git/blob/1941da2472eb668cde2d6a5fc921d5043a024386/LICENSE.txt
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, System.Memory.dll3.25.drString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, System.Memory.dll3.25.drString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/roslyn/issues/46646
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp, Microsoft.Extensions.Configuration.EnvironmentVariables.dll.25.dr, Microsoft.Extensions.Hosting.dll.25.drString found in binary or memory: https://github.com/dotnet/runtime
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/73124.
                                Source: Microsoft.Extensions.Hosting.dll.25.drString found in binary or memory: https://github.com/dotnet/runtimeu
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmp, Install-ChocolateyZipPackage.ps1.58.drString found in binary or memory: https://github.com/downloads/spraints/git-tfs/GitTfs-0.11.0.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2607658011.0000027B80002000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                                Source: AgentPackageInternalPoller.exe, 00000033.00000002.2792690357.00000215FEAE2000.00000002.00000001.01000000.0000003D.sdmpString found in binary or memory: https://github.com/lextudio/sharpsnmplib.git
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://github.com/majkinetor/au-packages/commit/bf95d56fe5851ee2e4f6f15f79c1a2877a7950a1
                                Source: Microsoft.Extensions.Hosting.dll.25.drString found in binary or memory: https://github.com/mono/linker/issues/1416.
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://licensedpackages.chocolatey.org/api/v2/
                                Source: AgentPackageSTRemote.exe, 0000002F.00000000.2647790418.000002D683892000.00000002.00000001.01000000.00000028.sdmpString found in binary or memory: https://my.splashtop.com/csrs/win
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2390537214.00000269FDDC8000.00000002.00000001.01000000.00000022.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://nlog-project.org/
                                Source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486A31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net
                                Source: AgentPackageUpgradeAgent.exe, 0000002B.00000000.2617750941.00000244861C2000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Agents/Mac/
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
                                Source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486A31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000000.2617750941.00000244861C2000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric
                                Source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MSI/1.8.7.2/Setupx64.msi
                                Source: AgentPackageUpgradeAgent.exe, 0000002B.00000000.2617750941.00000244861C2000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MacAgent/1.0/AteraAgentInstaller.pkgA/
                                Source: AgentPackageUpgradeAgent.exe, 0000002B.00000000.2617750941.00000244861C2000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric5Get
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007A6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218007AC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218009B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateH
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.000002180094C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHb
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHr
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHrR
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.000002180090C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHri
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B671F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.000002180090C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218009B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.000002180094C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/a
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/ag
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageA
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6717F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAg
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B674E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAge
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B674E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgen
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B674E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgenpT
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgentIn
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgpT
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.39/AgentPackageMonitoring.z
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B671F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.2/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageInternalPoller/13.0/AgentPackageInternalPoller.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.1/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageOsUpdates/19.4/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageProgramManagement/23.9/AgentPackageProgramManageme
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/22.1/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSystemTools/26.6/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTicketing/13.0/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageUpgradeAgent/26.7/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B671F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218000EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip?
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.000002180094C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADR
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.000002180094C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67177000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformati
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.000002180090C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.4/AgentPackageMark
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.4/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.000002180090C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.4/AgentPackageMarketplace.zip?
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip?
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.4/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/23.9/AgentPackageProgramManage
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218009B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInst
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218009B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/22.1/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218000EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip?
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/28.3/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/28.3/AgentPackageTicketing.zip?
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B671F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageADRemote/1.2/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B671F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMarketplace/13.0/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageOsUpdates/1.0/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageProgramManagement/15.5/AgentPackageProgramManageme
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSystemTools/18.9/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTicketing/18.9/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageWindowsUpdate/18.3/AgentPackageWindowsUpdate.zip
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3319498796.000001CB82F02000.00000002.00000001.01000000.0000004D.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3320390097.000001CB82FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgX
                                Source: AgentPackageSTRemote.exe, 0000002F.00000000.2647790418.000002D683892000.00000002.00000001.01000000.00000028.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
                                Source: AgentPackageSTRemote.exe, 0000002F.00000000.2647790418.000002D683892000.00000002.00000001.01000000.00000028.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exepUsers/Shared/Splashtop
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3319498796.000001CB82F02000.00000002.00000001.01000000.0000004D.sdmpString found in binary or memory: https://ps.atera.com/translations/TicketingTray/
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B675F7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67495000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67414000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218003D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218003DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B675F7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67121000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67495000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67414000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800080000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218003D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218003EB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218003DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0d7fba8c-4b2e-4e1f-8813-26d30614aa37
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218003D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1a1a0d2a-ae34-47d7-a928-b1e7ae6ed296
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6717F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=26ac4b95-6436-4847-8fb6-6ce69e42fddd
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800080000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=31afed18-0b39-4a6c-a9ae-142f45da6aa5
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5370b489-3c81-41b7-97be-b9a9b6aa8567
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B6717F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=84204da8-7f16-4194-9ed4-b10921ed652c
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9af673b7-a4cd-493d-b1a1-66c6ee190568
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ffeea687-a866-440a-b4ae-661178cdee35
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218003EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218003D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ch
                                Source: AteraAgent.exe, 00000019.00000002.2807215547.00000218003DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/7a7e43f1
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/7a7e43f1-0afc-4f50-8c61
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://push.chocolatey.org
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://push.chocolatey.org/
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmp, checksum.license.txt.58.drString found in binary or memory: https://raw.github.com/ferventcoder/checksum/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_config.gif
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_install.gif
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_outdated.gif
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_search.gif
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_uninstall.gif
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_upgrade.gif
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/chocopro_install_stopped.gif
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3319498796.000001CB82F02000.00000002.00000001.01000000.0000004D.sdmpString found in binary or memory: https://setup-app-resolver.atera.com
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://sevenzip.osdn.jp/chm/general/formats.htm
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://somelocation.com/
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://somelocation.com/thefile.exe
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://somewhere.com/file-x64.msi
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://somewhere.com/file.msi
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://somewhere.com/file.mst
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://somewhere/bob-x64.exe
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://somewhere/bob.exe
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://somewhere/out/there.msi
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2389296880.00000269FDC82000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: https://system.data.sqlite.org/
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2389696974.00000269FDCE4000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: https://system.data.sqlite.org/X
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2389296880.00000269FDC82000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: https://urn.to/r/sds_see
                                Source: AgentPackageTicketing.exe, 0000002D.00000002.3319498796.000001CB82F02000.00000002.00000001.01000000.0000004D.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnosti
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiString found in binary or memory: https://www.digicert.com/CPS0
                                Source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D906000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.howsmyssl.com/
                                Source: AteraAgent.exe, 0000000E.00000002.2578123901.0000027B001F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                                Source: rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2390537214.00000269FDDC8000.00000002.00000001.01000000.00000022.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                                Source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2270233720.0000013F5A6F2000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2390605428.00000269FDDD2000.00000002.00000001.01000000.00000023.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2716819083.000002D69C9B0000.00000002.00000001.01000000.00000032.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                                Source: AgentPackageMonitoring.exeString found in binary or memory: https://www.sqlite.org/copyright.html
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2406321218.00007FF89FF84000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drString found in binary or memory: https://www.sqlite.org/copyright.html2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Reads the Security eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Reads the System eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\42b8bf.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA36.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBCE7.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICC98.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICE7D.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICE8E.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICEDD.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICFD8.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\42b8c1.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\42b8c1.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE45B.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\42b8c2.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB567.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC8C.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC519.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID66F.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID78A.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID8D3.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID941.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF074.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF075.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF112.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF171.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\42b8ce.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\42b8ce.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF922.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBA36.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBA36.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBA36.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBA36.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBA36.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBA36.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBCE7.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBCE7.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBCE7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBCE7.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBCE7.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBCE7.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICC98.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICC98.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICC98.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICC98.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICC98.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICC98.tmp-\CustomAction.configJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE45B.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE45B.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE45B.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE45B.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE45B.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE45B.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB567.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB567.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB567.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB567.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB567.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB567.tmp-\CustomAction.config
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
                                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIBA36.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_04F9EDC85_3_04F9EDC8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_04F9B4F75_3_04F9B4F7
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_073D71D05_3_073D71D0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_073D00405_3_073D0040
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_067B50B86_3_067B50B8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_067B59A86_3_067B59A8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_067B4D686_3_067B4D68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FF84895C92213_2_00007FF84895C922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FF84895BB7613_2_00007FF84895BB76
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FF848A4061D13_2_00007FF848A4061D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FF848950C1D13_2_00007FF848950C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF84898C91014_2_00007FF84898C910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848991BEE14_2_00007FF848991BEE
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848981CE014_2_00007FF848981CE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848997F1814_2_00007FF848997F18
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF84899603014_2_00007FF848996030
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF84899387014_2_00007FF848993870
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848979AF214_2_00007FF848979AF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF84898C9C014_2_00007FF84898C9C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF84898900E14_2_00007FF84898900E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848B8E2EA14_2_00007FF848B8E2EA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848B8AA5114_2_00007FF848B8AA51
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848B8114C14_2_00007FF848B8114C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848970C5814_2_00007FF848970C58
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04A5004017_3_04A50040
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_04A5767817_3_04A57678
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF8489511CF19_2_00007FF8489511CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF8489511FA19_2_00007FF8489511FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF84895BCA819_2_00007FF84895BCA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF84896103019_2_00007FF848961030
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF84896E12021_2_00007FF84896E120
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF84896190D21_2_00007FF84896190D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF8489803FD21_2_00007FF8489803FD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF84896860221_2_00007FF848968602
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF84896785621_2_00007FF848967856
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF8489611CF21_2_00007FF8489611CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF8489611FA21_2_00007FF8489611FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF84897103021_2_00007FF848971030
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF8489511CF23_2_00007FF8489511CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF8489511FA23_2_00007FF8489511FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848973CD025_2_00007FF848973CD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84896CD8025_2_00007FF84896CD80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848961D8B25_2_00007FF848961D8B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84896CEA025_2_00007FF84896CEA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848959EDF25_2_00007FF848959EDF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848971FAD25_2_00007FF848971FAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84897649025_2_00007FF848976490
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84896D3C825_2_00007FF84896D3C8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84896943625_2_00007FF848969436
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848B7A48D25_2_00007FF848B7A48D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848B7B54925_2_00007FF848B7B549
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848B70E9E25_2_00007FF848B70E9E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848B62E0525_2_00007FF848B62E05
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848B76F7825_2_00007FF848B76F78
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848B7700025_2_00007FF848B77000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848B7D38125_2_00007FF848B7D381
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848B676F225_2_00007FF848B676F2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848B7864825_2_00007FF848B78648
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848B6F66D25_2_00007FF848B6F66D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848B7980125_2_00007FF848B79801
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848950C5825_2_00007FF848950C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF848970AB328_2_00007FF848970AB3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF848963AF328_2_00007FF848963AF3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF848984F7D28_2_00007FF848984F7D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF8489612C028_2_00007FF8489612C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84896C36F28_2_00007FF84896C36F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF8489864C028_2_00007FF8489864C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84896963228_2_00007FF848969632
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84896888628_2_00007FF848968886
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF8489759D128_2_00007FF8489759D1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF848984C7828_2_00007FF848984C78
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF8489611FA28_2_00007FF8489611FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84896073028_2_00007FF848960730
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FF201E034_2_00007FF89FF201E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FF1696034_2_00007FF89FF16960
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE6B88034_2_00007FF89FE6B880
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FF120E034_2_00007FF89FF120E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE7A0C034_2_00007FF89FE7A0C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE840A034_2_00007FF89FE840A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE19F3034_2_00007FF89FE19F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDF7F3034_2_00007FF89FDF7F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE75F2034_2_00007FF89FE75F20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE3FEF034_2_00007FF89FE3FEF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDE7EC034_2_00007FF89FDE7EC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE7FED034_2_00007FF89FE7FED0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE63EB034_2_00007FF89FE63EB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE95EA034_2_00007FF89FE95EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE87EA034_2_00007FF89FE87EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE27E7034_2_00007FF89FE27E70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDF5E5034_2_00007FF89FDF5E50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE13E1034_2_00007FF89FE13E10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FEB7D2034_2_00007FF89FEB7D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE29CF034_2_00007FF89FE29CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FECBCD034_2_00007FF89FECBCD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FEBDCC034_2_00007FF89FEBDCC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FF1E5B034_2_00007FF89FF1E5B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE0BBE034_2_00007FF89FE0BBE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE29BA034_2_00007FF89FE29BA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FECDB8034_2_00007FF89FECDB80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FF1C68034_2_00007FF89FF1C680
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE47B3034_2_00007FF89FE47B30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE83AF034_2_00007FF89FE83AF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE15AD034_2_00007FF89FE15AD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE97A6034_2_00007FF89FE97A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE19A6034_2_00007FF89FE19A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE4B9F034_2_00007FF89FE4B9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE0D91034_2_00007FF89FE0D910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE418DA34_2_00007FF89FE418DA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDFD83034_2_00007FF89FDFD830
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE3F78034_2_00007FF89FE3F780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE2D77034_2_00007FF89FE2D770
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE8772034_2_00007FF89FE87720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE536E034_2_00007FF89FE536E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FED56D034_2_00007FF89FED56D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE8169034_2_00007FF89FE81690
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDF564034_2_00007FF89FDF5640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE4B64734_2_00007FF89FE4B647
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE2F63034_2_00007FF89FE2F630
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDED63434_2_00007FF89FDED634
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FF14C8034_2_00007FF89FF14C80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDE955C34_2_00007FF89FDE955C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FF30D3034_2_00007FF89FF30D30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDE74B034_2_00007FF89FDE74B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FF1CD6034_2_00007FF89FF1CD60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDE347434_2_00007FF89FDE3474
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FEBF3E034_2_00007FF89FEBF3E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE093D034_2_00007FF89FE093D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE7B37034_2_00007FF89FE7B370
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDEF34034_2_00007FF89FDEF340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE7D35034_2_00007FF89FE7D350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDED28434_2_00007FF89FDED284
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE5F22034_2_00007FF89FE5F220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FEF320034_2_00007FF89FEF3200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE4F1B034_2_00007FF89FE4F1B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDE11B034_2_00007FF89FDE11B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE7917034_2_00007FF89FE79170
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FF150F034_2_00007FF89FF150F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE2902034_2_00007FF89FE29020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE7EFD034_2_00007FF89FE7EFD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE2AFB034_2_00007FF89FE2AFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDF2F8C34_2_00007FF89FDF2F8C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDECEA834_2_00007FF89FDECEA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE0CE7034_2_00007FF89FE0CE70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE40E3034_2_00007FF89FE40E30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDE4DB434_2_00007FF89FDE4DB4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FEA8D2034_2_00007FF89FEA8D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE66D2034_2_00007FF89FE66D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE54D0034_2_00007FF89FE54D00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDF6CC034_2_00007FF89FDF6CC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE2ACD034_2_00007FF89FE2ACD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE8CC0034_2_00007FF89FE8CC00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE38B9034_2_00007FF89FE38B90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE5CB5034_2_00007FF89FE5CB50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FECAB0034_2_00007FF89FECAB00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE06A8034_2_00007FF89FE06A80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FEAAA7034_2_00007FF89FEAAA70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE28A6034_2_00007FF89FE28A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FF2F79034_2_00007FF89FF2F790
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDE8A3C34_2_00007FF89FDE8A3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FF3184034_2_00007FF89FF31840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE3E99034_2_00007FF89FE3E990
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FED691034_2_00007FF89FED6910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDE28C034_2_00007FF89FDE28C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE388A034_2_00007FF89FE388A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDF886034_2_00007FF89FDF8860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FEA686034_2_00007FF89FEA6860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDEE80C34_2_00007FF89FDEE80C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE7A7E034_2_00007FF89FE7A7E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDF273834_2_00007FF89FDF2738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDFE72034_2_00007FF89FDFE720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE6060034_2_00007FF89FE60600
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE9A5D034_2_00007FF89FE9A5D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FF005D034_2_00007FF89FF005D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FF23C2034_2_00007FF89FF23C20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDE85D434_2_00007FF89FDE85D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE9E59034_2_00007FF89FE9E590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FEC659034_2_00007FF89FEC6590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE6455034_2_00007FF89FE64550
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDEA52434_2_00007FF89FDEA524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE3051034_2_00007FF89FE30510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDF44DC34_2_00007FF89FDF44DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE464A034_2_00007FF89FE464A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE0033034_2_00007FF89FE00330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FEA831034_2_00007FF89FEA8310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE0231034_2_00007FF89FE02310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE8A2F034_2_00007FF89FE8A2F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE822B034_2_00007FF89FE822B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE5224034_2_00007FF89FE52240
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE9C22034_2_00007FF89FE9C220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE6C11034_2_00007FF89FE6C110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848990FD534_2_00007FF848990FD5
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF84898BD5134_2_00007FF84898BD51
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF84898D02934_2_00007FF84898D029
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF84899122F34_2_00007FF84899122F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848BA2BCF34_2_00007FF848BA2BCF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848BA32A634_2_00007FF848BA32A6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848CF4DA034_2_00007FF848CF4DA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848CE513834_2_00007FF848CE5138
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848CB0B8834_2_00007FF848CB0B88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848CB103734_2_00007FF848CB1037
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848CB106934_2_00007FF848CB1069
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848D7F37834_2_00007FF848D7F378
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848D74F8834_2_00007FF848D74F88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848D7F45834_2_00007FF848D7F458
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848F239F534_2_00007FF848F239F5
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848F1000A34_2_00007FF848F1000A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848F1C4A834_2_00007FF848F1C4A8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848F1158D34_2_00007FF848F1158D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848F23B8034_2_00007FF848F23B80
                                Source: Joe Sandbox ViewDropped File: 42b8c6.rbf (copy) A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                Source: Joe Sandbox ViewDropped File: 42b8c8.rbf (copy) 2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FF89FF31B70 appears 102 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FF89FF31D30 appears 114 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FF89FF306B0 appears 145 times
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiBinary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiBinary or memory string: OriginalFilenameSfxCA.dll\ vs SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiBinary or memory string: OriginalFilenamewixca.dll\ vs SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi
                                Source: ICSharpCode.SharpZipLib.dll.1.dr, InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.1.dr, DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.1.dr, ZipAESTransform.csCryptographic APIs: 'TransformBlock'
                                Source: AteraAgent.exe.1.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                                Source: AteraAgent.exe0.1.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                                Source: classification engineClassification label: mal100.troj.spyw.evad.winMSI@106/597@0/10
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1772:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7840:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7920:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackageosupdates_log.txt
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1372:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4456:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4816:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7704:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6976:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6760:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7788:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\GenericDevicesFileLock
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7596:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\C__Program Files (x86)_ATERA Networks_AteraAgent_Packages_AgentPackageProgramManagement_logs_chocolatey.log
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:368:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5300:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Windows\SysWOW64\rundll32.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7520:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2952:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\SNMPDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMutant created: \BaseNamedObjects\NLogMutexTester
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2072:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\Global\{bd59231e-97d1-4fc0-a975-80c3fed498b7}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\C__Program Files (x86)_ATERA Networks_AteraAgent_Packages_AgentPackageProgramManagement_logs_choco.summary.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\HttpDevicesFileLock
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8100:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8164:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3396:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7984:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\ServerDevicesFileLock
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF4DE34DAD7D3601C7.TMPJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIBA36.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4373156 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResultC{0} {1} {2} {3} or8ixLi90Mf "{4}"
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000022.00000002.2405909260.00007FF89FF3A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2405909260.00007FF89FF3A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000022.00000002.2405909260.00007FF89FF3A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2391278461.00000269FE9F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);)a
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000022.00000002.2405909260.00007FF89FF3A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000022.00000002.2405909260.00007FF89FF3A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2391278461.00000269FE9F5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000022.00000002.2405909260.00007FF89FF3A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E581F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000022.00000002.2405909260.00007FF89FF3A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiReversingLabs: Detection: 21%
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi"
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6BEB905C8354112D7E7BC21C1881079B
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIBA36.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4373156 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIBCE7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4373765 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSICC98.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4377781 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 98B428FB0154F0966007DE80009BCB6E E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="daniteixeiraca@gmail.com" /CompanyId="4" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000GIFLyIAP" /AgentId="7a7e43f1-0afc-4f50-8c61-339131846a69"
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE45B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4383859 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "352bade9-39fc-4189-bf6a-41f552dd6fba" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "34d7bbb1-2b8f-4bcd-964e-f5acf144e140" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "47d6379b-c658-4e52-a133-db8b6d46f0d9" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "8cc942ae-3bdb-4222-9453-2ed70848cfc7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "585ea9f2-ff62-42b1-8621-32f89cbd700f" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000GIFLyIAP
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "207c764f-7b5e-4361-b17c-c2a6bd7d6267" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "4e65690f-3e0c-4d9e-964f-8895324bb3ff" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "f721374f-3fe2-4b5f-8eec-11d640442926" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "e356d6d4-7cbe-4df1-bcc8-05bbf73f1e8a" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "36f22a95-55e4-49cb-a2d9-ea5984df366a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "03c91351-843b-4c54-8a6f-6ddae72fa65a" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "1d983d41-867d-46f7-858b-ce7cf9dfe8cc" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "8e1a3aa9-ed84-4ede-9655-ef0091e8bc20" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 41990507C01A0A78CED2BEEF0F9E4459 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIB567.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4437562 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6BEB905C8354112D7E7BC21C1881079BJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 98B428FB0154F0966007DE80009BCB6E E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="daniteixeiraca@gmail.com" /CompanyId="4" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000GIFLyIAP" /AgentId="7a7e43f1-0afc-4f50-8c61-339131846a69"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 41990507C01A0A78CED2BEEF0F9E4459 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIBA36.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4373156 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIBCE7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4373765 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSICC98.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4377781 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE45B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4383859 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "352bade9-39fc-4189-bf6a-41f552dd6fba" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "34d7bbb1-2b8f-4bcd-964e-f5acf144e140" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "47d6379b-c658-4e52-a133-db8b6d46f0d9" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "8cc942ae-3bdb-4222-9453-2ed70848cfc7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "585ea9f2-ff62-42b1-8621-32f89cbd700f" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "207c764f-7b5e-4361-b17c-c2a6bd7d6267" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "4e65690f-3e0c-4d9e-964f-8895324bb3ff" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "f721374f-3fe2-4b5f-8eec-11d640442926" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "e356d6d4-7cbe-4df1-bcc8-05bbf73f1e8a" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "36f22a95-55e4-49cb-a2d9-ea5984df366a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "03c91351-843b-4c54-8a6f-6ddae72fa65a" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "1d983d41-867d-46f7-858b-ce7cf9dfe8cc" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "8e1a3aa9-ed84-4ede-9655-ef0091e8bc20" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIB567.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4437562 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wscapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wtsapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winsta.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: devobj.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: version.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptnet.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: winnsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: smphost.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mispace.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: sxshared.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmiclnt.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wevtapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: virtdisk.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: resutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: clusapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmidcom.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmitomi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fastprox.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: cscapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fmifs.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: ulib.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msiStatic file information: File size 2994176 > 1048576
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000022.00000002.2388833628.00000269FDBC2000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Hosting/Release/net6.0/Microsoft.Extensions.Hosting.pdb source: Microsoft.Extensions.Hosting.dll.25.dr
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.2121397249.000002C5AC432000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb= source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4F4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.2269430575.0000013F41DF2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3732158656.000001CB9B712000.00000002.00000001.01000000.0000004E.sdmp, AgentPackageHeartbeat.exe, 00000037.00000002.2754905148.000001DB5C752000.00000002.00000001.01000000.00000036.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2815798469.000002961D0B6000.00000002.00000001.01000000.00000043.sdmp, Atera.AgentPackage.Common.dll7.25.dr
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb< source: AgentPackageAgentInformation.exe, 00000013.00000000.2244442728.0000013F415E2000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002B.00000000.2617750941.00000244861C2000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000022.00000002.2389296880.00000269FDC82000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2382248089.00000269E51E2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 00000033.00000002.2782762236.00000215FE712000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/Release/net6.0/Microsoft.Extensions.Configuration.Abstractions.pdb source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 00000033.00000002.2792690357.00000215FEAE2000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.2063828795.0000000004534000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.00000000046DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D38000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbdq source: AgentPackageTicketing.exe, 0000002D.00000002.3732158656.000001CB9B712000.00000002.00000001.01000000.0000004E.sdmp, Atera.AgentPackage.Common.dll7.25.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466BD0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.2121397249.000002C5AC432000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdbD source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb:$ source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4AC000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466BD0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: System.Memory.dll3.25.dr
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 00000035.00000002.2802288315.0000029466AD2000.00000002.00000001.01000000.0000003E.sdmp
                                Source: Binary string: E:\A\_work\533\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: Microsoft.ApplicationInsights.dll.14.dr
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Hosting/Release/net6.0/Microsoft.Extensions.Hosting.pdbSHA256-@ source: Microsoft.Extensions.Hosting.dll.25.dr
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 00000033.00000000.2668715578.00000215FD612000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000E.00000002.2607658011.0000027B80002000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000E.00000002.2607658011.0000027B80002000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2390605428.00000269FDDD2000.00000002.00000001.01000000.00000023.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2389109771.00000269FDC42000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\AgentPackageProgramManagement\obj\Release\AgentPackageProgramManagement.pdb source: AgentPackageProgramManagement.exe, 0000003A.00000000.2687330507.000002961CC52000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb@[R source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AgentPackageProgramManagement.exe, 0000003A.00000002.2815237866.000002961D072000.00000002.00000001.01000000.00000041.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000013.00000000.2244442728.0000013F415E2000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/Release/net6.0/Microsoft.Extensions.Configuration.Abstractions.pdbSHA256 source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2388833628.00000269FDBC2000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.2063828795.0000000004534000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.00000000046DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D38000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdbs source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4F4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageOsUpdates.pdbs source: AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466C55000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdbSHA256 source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.25.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000013.00000002.2270233720.0000013F5A6F2000.00000002.00000001.01000000.00000019.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2716819083.000002D69C9B0000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: ]c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdb source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.25.dr
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256~ source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2270233720.0000013F5A6F2000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2390605428.00000269FDDD2000.00000002.00000001.01000000.00000023.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2716819083.000002D69C9B0000.00000002.00000001.01000000.00000032.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.PDB source: AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466BD0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2973229485.000002449F272000.00000002.00000001.01000000.00000049.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2973229485.000002449F272000.00000002.00000001.01000000.00000049.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466C4A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466BD0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466C55000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000035.00000000.2675329099.000002944D9B2000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\*nt.pdbH source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4F4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 00000033.00000002.2792690357.00000215FEAE2000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi
                                Source: Binary string: D:\a\1\s\AgentPackageHeartbeat\AgentPackageHeartbeat\obj\Release\AgentPackageHeartbeat.pdb source: AgentPackageHeartbeat.exe, 00000037.00000000.2679474183.000001DB5C312000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb4X source: AgentPackageHeartbeat.exe, 00000037.00000002.2754905148.000001DB5C752000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp
                                Source: Binary string: C:\buildAgent\work\1b72bc6dac87fa71\code_drop\merge\chocolatey.pdb source: AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdbPljl \l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 0000002D.00000000.2645318451.000001CB82702000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 00000035.00000002.2802288315.0000029466AD2000.00000002.00000001.01000000.0000003E.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.2063828795.0000000004534000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.00000000046DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D38000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000022.00000002.2382248089.00000269E51E2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\*.pdby source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4F4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.2269430575.0000013F41DF2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2815798469.000002961D0B6000.00000002.00000001.01000000.00000043.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdbE source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\533\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdbCW source: Microsoft.ApplicationInsights.dll.14.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4AC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000035.00000002.2804841516.0000029466C3E000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\exe\AgentPackageUpgradeAgent.pdbc source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4AC000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2405909260.00007FF89FF3A000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.dr
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2164502453.000002C5C6A82000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F4F4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 00000035.00000002.2739226591.000002944DD52000.00000002.00000001.01000000.00000033.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.2164502453.000002C5C6A82000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2389296880.00000269FDC82000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 0000002D.00000002.3319498796.000001CB82F02000.00000002.00000001.01000000.0000004D.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdba^{^ m^_CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 00000035.00000002.2739226591.000002944DD52000.00000002.00000001.01000000.00000033.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 00000033.00000002.2782762236.00000215FE712000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: .pdbE source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: m.pdb source: AteraAgent.exe, 00000019.00000002.2978934094.00000218695D4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256 source: AteraAgent.exe, 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Contracts\4.0.1.0\System.Diagnostics.Contracts.pdb source: System.Diagnostics.Contracts.dll.25.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 0000002D.00000000.2645318451.000001CB82702000.00000002.00000001.01000000.00000027.sdmp
                                Source: BouncyCastle.Crypto.dll.1.drStatic PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDF1910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,34_2_00007FF89FDF1910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FF84895D45B push cs; retf 13_2_00007FF84895D465
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848997967 push ebx; retf 14_2_00007FF84899796A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848990AC2 pushad ; ret 14_2_00007FF848990AD1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848997C29 push eax; retf 14_2_00007FF848997C6D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848B80F68 push eax; ret 14_2_00007FF848B80F94
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF84895D5C9 push ds; retf 5F54h19_2_00007FF84895D92F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF8489655BB push esp; iretd 19_2_00007FF8489655D9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF8489500BD pushad ; iretd 19_2_00007FF8489500C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF84896D5C9 push ds; retf 5F53h21_2_00007FF84896D92F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF8489755BB push esp; iretd 21_2_00007FF8489755D9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF8489600BD pushad ; iretd 21_2_00007FF8489600C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF8489500BD pushad ; iretd 23_2_00007FF8489500C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848966C18 pushad ; iretd 25_2_00007FF848966C19
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF8489625F2 push eax; iretd 25_2_00007FF848962671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84895A658 push eax; retf 25_2_00007FF84895A669
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84895A652 push eax; retf 25_2_00007FF84895A669
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848B673F4 push eax; ret 25_2_00007FF848B67424
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848B62D7C push eax; ret 25_2_00007FF848B62D94
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848B61831 push eax; ret 25_2_00007FF848B61854
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF848977C2E pushad ; retf 28_2_00007FF848977C5D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF8489600BD pushad ; iretd 28_2_00007FF8489600C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE1FAB0 push rbp; ret 34_2_00007FF89FE1FAB1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE08961 push r8; ret 34_2_00007FF89FE08963
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848988426 push eax; ret 34_2_00007FF84898846D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848BACB62 pushad ; retf 34_2_00007FF848BACB71
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848BA24E8 push es; ret 34_2_00007FF848BA2557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848CF4DA0 push esi; retf 34_2_00007FF848CF59D7
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848CAD3AB pushad ; ret 34_2_00007FF848CAD409
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848D779C5 push ebp; ret 34_2_00007FF848D779C8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848D8546E push es; iretd 34_2_00007FF848D8546F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF848DB1C43 pushfd ; retf 34_2_00007FF848DB1CC1

                                Persistence and Installation Behavior

                                barindex
                                Creates files in the system32 config directory
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICFD8.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICC98.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC519.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICC98.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 42b8c9.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBCE7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB567.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICE8E.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE45B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 42b8ca.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB567.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID8D3.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID78A.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB567.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID941.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICEDD.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICC98.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB567.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF075.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE45B.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 42b8cb.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICC98.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBCE7.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 42b8c6.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 42b8cc.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF922.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBA36.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC8C.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 42b8c8.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBA36.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICC98.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBA36.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBA36.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF112.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB567.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE45B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF171.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBCE7.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA36.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBCE7.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE45B.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBCE7.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE45B.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICE8E.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICFD8.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBCE7.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE45B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA36.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBA36.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID78A.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID8D3.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICEDD.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBCE7.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF112.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICC98.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICC98.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB567.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF075.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF922.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBCE7.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBA36.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC519.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE45B.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB567.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICC98.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBCE7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICC98.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC8C.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBCE7.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE45B.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB567.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE45B.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBA36.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB567.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICC98.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE45B.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID941.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIBA36.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF171.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB567.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt

                                Boot Survival

                                barindex
                                Installs Task Scheduler Managed Wrapper
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDEA524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,34_2_00007FF89FDEA524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2C5AC780000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2C5C6180000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 27B66E80000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 27B7F070000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 13F41A10000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 13F59F20000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1852E9B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 18546E40000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1F108B60000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1F120BD0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 21868C80000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 21868CC0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2263BF10000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 22654050000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 269E4C50000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 269FD280000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1D53FEB0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1D558470000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 24486500000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 2449EA30000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 1CB82EB0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 1CB9AF30000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 2D684050000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 2D69C220000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 26489E10000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 264A2540000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 215FDDF0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 215FDF40000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 2944DD10000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 29466410000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeMemory allocated: 1DB5C720000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeMemory allocated: 1DB74DE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMemory allocated: 2961D050000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMemory allocated: 296357B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597249
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596484
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598938
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598559
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598430
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598325
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598191
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597907
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597782
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597657
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597173
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597048
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596901
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596652
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596282
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595782
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594774
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594430
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594279
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594160
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594038
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593900
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593391
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593032
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592905
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592787
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592648
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592419
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592242
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591972
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591526
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591083
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590907
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590760
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590315
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590159
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590032
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589907
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589782
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589657
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589532
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589407
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589282
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589156
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589047
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588576
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588466
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587905
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587675
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587322
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587204
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587079
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586954
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586829
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586704
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586579
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 4559
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 4988
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 1658
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 7963
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 6141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 2216
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 1593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 2230
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 440
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 1131
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 6869
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 2698
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeWindow / User API: threadDelayed 967
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeWindow / User API: threadDelayed 1301
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICFD8.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSICC98.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC519.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSICC98.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 42b8c9.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBCE7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB567.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICE8E.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE45B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 42b8ca.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB567.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID8D3.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID78A.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB567.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID941.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICEDD.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB567.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSICC98.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF075.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE45B.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 42b8cb.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICC98.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBCE7.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF922.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 42b8cc.rbf (copy)Jump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBA36.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBC8C.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 42b8c8.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBA36.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSICC98.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBA36.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBA36.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF112.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB567.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE45B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF171.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBCE7.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBA36.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBCE7.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBCE7.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE45B.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE45B.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key enumerated: More than 126 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 6568Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1480Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4508Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4564Thread sleep count: 4559 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2132Thread sleep time: -23980767295822402s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2132Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5452Thread sleep time: -140000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4564Thread sleep count: 4988 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1504Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 368Thread sleep time: -90000s >= -30000s
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 5968Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1292Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3128Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6544Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6096Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4372Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6292Thread sleep count: 1658 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4480Thread sleep count: 7963 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7056Thread sleep count: 42 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7056Thread sleep time: -38738162554790034s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7056Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1960Thread sleep time: -100000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4768Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5720Thread sleep time: -90000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2584Thread sleep count: 6141 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1480Thread sleep count: 2216 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -23058430092136925s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -599875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -599765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -599656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -599546s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -599437s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -599328s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -599218s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -599109s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -599000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -598890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -598781s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -598672s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -598562s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -598453s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -598343s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -598234s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -598125s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -598015s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -597906s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -597797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -597687s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -597578s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -597468s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -597359s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -597249s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -597140s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -597031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -596922s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -596812s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -596703s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -596593s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7308Thread sleep time: -596484s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7288Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5580Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5756Thread sleep count: 1593 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7180Thread sleep time: -5534023222112862s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7180Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3712Thread sleep count: 2230 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7188Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2804Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7616Thread sleep count: 440 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7616Thread sleep count: 1131 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4332Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7568Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 7700Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 7740Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep count: 6869 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep count: 42 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -38738162554790034s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -599610s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -599438s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -599125s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -598938s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -598719s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -598559s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -598430s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -598325s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -598191s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -598063s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 7224Thread sleep count: 2698 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -597907s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -597782s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -597657s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -597524s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -597360s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -597173s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -597048s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -596901s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -596652s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -596453s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -596282s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -596063s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -595782s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -595485s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -595250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -594969s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -594774s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -594563s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -594430s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -594279s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -594160s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -594038s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -593900s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -593641s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -593391s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -593188s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -593032s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -592905s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -592787s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -592648s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -592531s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -592419s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -592242s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -592109s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -591972s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -591813s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -591641s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -591526s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -591375s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -591219s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -591083s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -590907s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -590760s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -590656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -590547s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -590438s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -590315s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -590159s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -590032s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -589907s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -589782s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -589657s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -589532s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -589407s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -589282s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -589156s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -589047s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -588922s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -588813s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -588688s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -588576s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -588466s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -588360s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -588250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -588141s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -588016s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -587905s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -587797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -587675s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -587547s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -587438s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -587322s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -587204s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -587079s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -586954s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -586829s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -586704s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6720Thread sleep time: -586579s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7892Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7884Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 7964Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 8064Thread sleep count: 292 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 8124Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 8040Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 8184Thread sleep count: 201 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 8160Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe TID: 7216Thread sleep time: -1844674407370954s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe TID: 5756Thread sleep count: 967 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe TID: 7124Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 4112Thread sleep time: -3689348814741908s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 3664Thread sleep count: 1301 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 3664Thread sleep count: 88 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 4956Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 3396Thread sleep time: -1844674407370954s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597249
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596484
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598938
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598559
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598430
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598325
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598191
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597907
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597782
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597657
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597173
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597048
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596901
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596652
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596282
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595782
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594774
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594430
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594279
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594160
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594038
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593900
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593391
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593032
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592905
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592787
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592648
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592419
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592242
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591972
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591526
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591083
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590907
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590760
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590315
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590159
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590032
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589907
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589782
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589657
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589532
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589407
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589282
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589156
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589047
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588576
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588466
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587905
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587675
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587322
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587204
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587079
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586954
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586829
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586704
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586579
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service0
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2450168267.0000022654991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped-F
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2907420139.000001D558FFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                                Source: svchost.exe, 00000024.00000002.3312985649.00000228A8852000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @friendlyname"vmware virtual disk"ll
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2434672436.000002263B898000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2810177979.000001D53FCC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2450168267.0000022654991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2388012880.00000269FDAC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllqBX
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C68CB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6927000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2603432372.0000027B7FCC8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2603432372.0000027B7FD13000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2598077770.0000027B7F7AC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2977107535.000002449F494000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: svchost.exe, 00000024.00000002.3313032286.00000228A8869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1NoneVMware-42 27 d9 2e dc 89 72 dd-92 e8 86 9f a5 a6 64 93
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2434672436.000002263B898000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStopped@
                                Source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F49F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RA
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2434672436.000002263B898000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2810177979.000001D53FCC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2907420139.000001D558FFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5404F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: |Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.2274234365.00000185476C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllaa
                                Source: AgentPackageAgentInformation.exe, 00000013.00000000.2244442728.0000013F415E2000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                                Source: AgentPackageInternalPoller.exe, 00000033.00000002.2784580394.00000215FE8B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service0
                                Source: svchost.exe, 00000024.00000003.2392730309.00000228A8C1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C292B65879FF477A6AF604113F58
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2810177979.000001D53FD26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStopped
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5404F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2810177979.000001D53FD26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStopped
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2381697266.00000269E4CA2000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: vmware
                                Source: svchost.exe, 00000024.00000002.3312985649.00000228A8852000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JSetPropValue.Manufacturer("VMware");
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
                                Source: svchost.exe, 00000024.00000002.3312893956.00000228A882B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $@friendlyname"vmware virtual disk"ion
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5404F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service
                                Source: svchost.exe, 00000024.00000002.3312985649.00000228A8852000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C292B65879FF477A6AF604113F58^
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5404F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface0
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2434672436.000002263B898000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStoppedX
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor0
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2449934879.0000022654973000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped-
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2434672436.000002263B898000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5404F3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2810177979.000001D53FCC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2449934879.0000022654973000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2897196451.000001D558E54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2449934879.0000022654973000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2897196451.000001D558E54000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5404F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5404F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2449816038.0000022654961000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicshutdown"
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5404F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                                Source: svchost.exe, 00000024.00000002.3312985649.00000228A8852000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2907420139.000001D558FFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }"6000C292B65879FF477A6AF604113F58VMware Virtual diskVMwareVirtual disk6000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 :
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service0
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5404F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5404F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "Win32_Service.Name="vmicheartbeat"p^
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2450168267.0000022654991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service0
                                Source: svchost.exe, 00000024.00000002.3313032286.00000228A8869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?XSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2897196451.000001D558E54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat}
                                Source: rundll32.exe, 00000011.00000002.2211293766.0000000002C66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
                                Source: svchost.exe, 00000024.00000002.3312713230.00000228A8800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C292B65879FF477A6AF604113F580VMwareVirtual disk6000c292b65879ff477a6af604113f582.0
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2449198468.0000022654924000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStoppedL
                                Source: rundll32.exe, 00000005.00000002.2105145939.0000000003266000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2978934094.0000021869540000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2450915945.0000022654A28000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2901603443.000001D558F38000.00000004.00000020.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3733328798.000001CB9B890000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2722291632.000002D69CA6A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 00000037.00000002.2776078400.000001DB754BE000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2903899814.0000029635ED3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: AgentPackageUpgradeAgent.exe, 0000002B.00000002.2980050197.000002449F49F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWcc
                                Source: AteraAgent.exe, 0000000D.00000002.2161796269.000002C5C6863000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2434672436.000002263B898000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2810177979.000001D53FCC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2434672436.000002263B898000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped;&
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2810177979.000001D53FCC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStoppedgU
                                Source: AteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2381697266.00000269E4CA2000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: get_IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2897196451.000001D558E54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5404F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"p^
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2450168267.0000022654991000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                                Source: AgentPackageAgentInformation.exe, 00000013.00000002.2270476521.0000013F5A7F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5404F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Win32_Service.Name="vmicshutdown"p^
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service0
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2902537771.000001D558F54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{baefc400-1cb2-6d19-d2b5-4ac4ae014b83}"6000C292B65879FF477A6AF604113F58VMware Virtual diskVMwareVirtual disk6000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service0
                                Source: svchost.exe, 00000024.00000002.3314775560.00000228A8D23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{baefc400-1cb2-6d19-d2b5-4ac4ae014b83}6000C292B65879FF477A6AF604113F58VMware Virtual diskVMwareVirtual disk6000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: svchost.exe, 00000024.00000002.3313032286.00000228A8869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5404F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service
                                Source: AgentPackageAgentInformation.exe, 00000026.00000002.2810177979.000001D53FCC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStopped
                                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDE5E14 IsDebuggerPresent,__crtUnhandledException,GetCurrentProcess,TerminateProcess,34_2_00007FF89FDE5E14
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE2B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,34_2_00007FF89FE2B9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDF1910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,34_2_00007FF89FDF1910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDE7A84 GetProcessHeap,34_2_00007FF89FDE7A84
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDEACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_00007FF89FDEACD4
                                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="daniteixeiraca@gmail.com" /CompanyId="4" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000GIFLyIAP" /AgentId="7a7e43f1-0afc-4f50-8c61-339131846a69"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "352bade9-39fc-4189-bf6a-41f552dd6fba" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "34d7bbb1-2b8f-4bcd-964e-f5acf144e140" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "47d6379b-c658-4e52-a133-db8b6d46f0d9" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "8cc942ae-3bdb-4222-9453-2ed70848cfc7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "585ea9f2-ff62-42b1-8621-32f89cbd700f" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "207c764f-7b5e-4361-b17c-c2a6bd7d6267" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "4e65690f-3e0c-4d9e-964f-8895324bb3ff" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "f721374f-3fe2-4b5f-8eec-11d640442926" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "e356d6d4-7cbe-4df1-bcc8-05bbf73f1e8a" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "36f22a95-55e4-49cb-a2d9-ea5984df366a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "03c91351-843b-4c54-8a6f-6ddae72fa65a" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "1d983d41-867d-46f7-858b-ce7cf9dfe8cc" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "8e1a3aa9-ed84-4ede-9655-ef0091e8bc20" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000GIFLyIAP
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="daniteixeiraca@gmail.com" /companyid="4" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000giflyiap" /agentid="7a7e43f1-0afc-4f50-8c61-339131846a69"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "352bade9-39fc-4189-bf6a-41f552dd6fba" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "34d7bbb1-2b8f-4bcd-964e-f5acf144e140" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "47d6379b-c658-4e52-a133-db8b6d46f0d9" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "8cc942ae-3bdb-4222-9453-2ed70848cfc7" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "585ea9f2-ff62-42b1-8621-32f89cbd700f" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "207c764f-7b5e-4361-b17c-c2a6bd7d6267" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "4e65690f-3e0c-4d9e-964f-8895324bb3ff" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "f721374f-3fe2-4b5f-8eec-11d640442926" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "e356d6d4-7cbe-4df1-bcc8-05bbf73f1e8a" agent-api.atera.com/production 443 or8ixli90mf "downloadifneeded" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "36f22a95-55e4-49cb-a2d9-ea5984df366a" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "03c91351-843b-4c54-8a6f-6ddae72fa65a" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageheartbeat\agentpackageheartbeat.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "1d983d41-867d-46f7-858b-ce7cf9dfe8cc" agent-api.atera.com/production 443 or8ixli90mf "heartbeat" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageprogrammanagement\agentpackageprogrammanagement.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "8e1a3aa9-ed84-4ede-9655-ef0091e8bc20" agent-api.atera.com/production 443 or8ixli90mf "syncinstalledapps" 001q300000giflyiap
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="daniteixeiraca@gmail.com" /companyid="4" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000giflyiap" /agentid="7a7e43f1-0afc-4f50-8c61-339131846a69"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "352bade9-39fc-4189-bf6a-41f552dd6fba" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "34d7bbb1-2b8f-4bcd-964e-f5acf144e140" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "47d6379b-c658-4e52-a133-db8b6d46f0d9" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "8cc942ae-3bdb-4222-9453-2ed70848cfc7" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "585ea9f2-ff62-42b1-8621-32f89cbd700f" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "207c764f-7b5e-4361-b17c-c2a6bd7d6267" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "4e65690f-3e0c-4d9e-964f-8895324bb3ff" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "f721374f-3fe2-4b5f-8eec-11d640442926" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "e356d6d4-7cbe-4df1-bcc8-05bbf73f1e8a" agent-api.atera.com/production 443 or8ixli90mf "downloadifneeded" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "36f22a95-55e4-49cb-a2d9-ea5984df366a" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "03c91351-843b-4c54-8a6f-6ddae72fa65a" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageheartbeat\agentpackageheartbeat.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "1d983d41-867d-46f7-858b-ce7cf9dfe8cc" agent-api.atera.com/production 443 or8ixli90mf "heartbeat" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageprogrammanagement\agentpackageprogrammanagement.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "8e1a3aa9-ed84-4ede-9655-ef0091e8bc20" agent-api.atera.com/production 443 or8ixli90mf "syncinstalledapps" 001q300000giflyiap
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDE739C cpuid 34_2_00007FF89FDE739C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIBA36.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIBA36.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIBCE7.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIBCE7.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIBCE7.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSICC98.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSICC98.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIE45B.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIE45B.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIE45B.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIB567.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIB567.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDECC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,34_2_00007FF89FDECC04
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FDE85D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,34_2_00007FF89FDE85D4
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

                                Remote Access Functionality

                                barindex
                                Yara detected AteraAgent
                                Source: Yara matchFile source: 45.2.AgentPackageTicketing.exe.1cb82f00000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 53.2.AgentPackageOsUpdates.exe.2944dd50000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 25.2.AteraAgent.exe.218004a6de0.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 45.0.AgentPackageTicketing.exe.1cb82700000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.0.AgentPackageMonitoring.exe.269e48c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 25.2.AteraAgent.exe.21800568e70.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 25.2.AteraAgent.exe.21800227208.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 19.2.AgentPackageAgentInformation.exe.13f41df0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 47.0.AgentPackageSTRemote.exe.2d683890000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.2.AgentPackageMonitoring.exe.269e4ca0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 45.2.AgentPackageTicketing.exe.1cb9b710000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 25.2.AteraAgent.exe.218002430c0.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 51.0.AgentPackageInternalPoller.exe.215fd610000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 55.2.AgentPackageHeartbeat.exe.1db5c750000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 58.0.AgentPackageProgramManagement.exe.2961cc50000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 43.0.AgentPackageUpgradeAgent.exe.244861c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 19.0.AgentPackageAgentInformation.exe.13f415e0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.0.AteraAgent.exe.2c5ac430000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 53.0.AgentPackageOsUpdates.exe.2944d9b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000028.00000003.2605412856.000002172A390000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2391278461.00000269FE9F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2602123621.0000027B7FC7F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2926559409.00000244864C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.2900305278.0000013FED555000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2598077770.0000027B7F806000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3733328798.000001CB9B890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2674549384.000002D683A6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2728987603.000001DB5C4B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B671F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2380691148.00000269E4A60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2810177979.000001D53FC84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2164936379.000002C5C6D18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2160988199.000002C5AE20C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2718479214.000002944DBB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000000.2121397249.000002C5AC432000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2437275862.000002263C274000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2436689591.000002263BA80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2437275862.000002263C246000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2716685556.000002158001E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2767597626.00000215FD7ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2159786802.000002C5AC606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.00000218007B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2762286308.000001DB5CF30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2783599588.0000026489BA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2391430256.00000269FEA06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2268622042.0000013F417BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.0000021800064000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2716685556.000002158022B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3314224341.000001CB828D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2811624912.0000026489DB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2391546431.00000269FEC9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2821800701.000001D5404B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2821800701.000001D540A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2806142232.000002961CE60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2578516584.0000027B66760000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000002.2212651176.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.00000218007AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2272141138.000001852E618000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2284589508.000001F108C53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2783599588.0000026489BBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2434672436.000002263B857000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2758180315.000002172A370000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2579062937.0000027B66985000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.2900557273.0000013FED555000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.000002180033F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2716685556.0000021580225000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2603432372.0000027B7FCC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2914256319.0000024486282000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2674549384.000002D683AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2751813635.000001DB5C700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.000002180078D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2576012012.0000009983FB5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2758503201.000002944E506000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B6751F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.0000021800001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2716685556.0000021580227000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2284589508.000001F108C43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2977107535.000002449F494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B67493000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2598077770.0000027B7F775000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2674549384.000002D683AA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2159786802.000002C5AC621000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2806142232.000002961CEE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2908384954.000001D559010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2902136874.0000013FEDE9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2810177979.000001D53FC40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2743008308.000002944DD70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2758503201.000002944E600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2381964304.00000269E4CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2283597976.000001F108530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2991860336.0000021869A7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2364593765.000001F906F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2758503201.000002944E95D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.2780673347.0000013FEDE9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2388012880.00000269FDAC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2804841516.0000029466BD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2716685556.000002158022E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2739226591.000002944DD52000.00000002.00000001.01000000.00000033.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2980050197.000002449F4F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2272141138.000001852E655000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2961986223.0000021868560000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2705317497.000002D684350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.0000021800335000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2364593765.000001F906F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2716685556.0000021580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2380691148.00000269E4AEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3733328798.000001CB9B8E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2719790084.000001B559340000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2363436917.000002C3676A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.00000218005DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2755972710.000002172A1C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2283821517.000001F1085CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2273338686.000001852EEB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.2851003221.0000013FED620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2718479214.000002944DC3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2964085586.000002186871C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.2853804669.0000013FEDE9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2381697266.00000269E4CA2000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2579062937.0000027B6693B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2160579005.000002C5AC870000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3314224341.000001CB828B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2716685556.0000021580235000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.00000218000EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.2900201414.0000013FEDE9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.00000218004CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000000.2645318451.000001CB82702000.00000002.00000001.01000000.00000027.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.0000021800267000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2159786802.000002C5AC6C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2705317497.000002D684298000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2716685556.0000021580233000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2160988199.000002C5AE209000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2437275862.000002263C0E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2452375712.0000022654B61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.00000218004B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2268622042.0000013F4173C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2268622042.0000013F41773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B67451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2928832701.0000024486BA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2755972710.000002172A1A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B67495000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000002.2212651176.0000000004B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2783599588.0000026489C26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.00000218005A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2437275862.000002263C206000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.00000218003D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2273338686.000001852EE41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B674E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2578123901.0000027B001F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2784580394.00000215FE95E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2810177979.000001D53FCC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000000.2668715578.00000215FD612000.00000002.00000001.01000000.00000029.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B6717F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B67403000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2269551322.0000013F41F93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.000002180023B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2822805972.000002961DD5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2451150229.0000022654AF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2674549384.000002D683A60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3313884648.000001CB82870000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B6777D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2816885449.000002961D140000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2822805972.000002961DE64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2579062937.0000027B66900000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2928832701.0000024486A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2890995099.000001D558DCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2159786802.000002C5AC690000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B67680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2578565254.0000027B66850000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2889513375.000001D558DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2767597626.00000215FD760000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2758503201.000002944E480000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.00000218003EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.00000218004C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2963377869.00000218686B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3314224341.000001CB828F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2758503201.000002944E411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2437275862.000002263C1AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.000002180083A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2928832701.0000024486CB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2450223434.000002265499D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3314224341.000001CB828BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2434672436.000002263B810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2901425753.0000029635E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2434672436.000002263B82F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2437275862.000002263C249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2718479214.000002944DC59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2450621949.00000226549F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2602123621.0000027B7FC5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2159786802.000002C5AC642000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2964085586.0000021868766000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2728987603.000001DB5C4BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2160988199.000002C5AE232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2914256319.00000244862C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2767597626.00000215FD7A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2602123621.0000027B7FCB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2160988199.000002C5AE181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2283821517.000001F108598000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2755972710.000002172A1AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2166236861.00007FF8489E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000003.2294609465.000001F907180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2991860336.0000021869AB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2821800701.000001D5409F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.2106152856.0000000005074000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B67405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2272141138.000001852E62B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2776078400.000001DB754BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2822805972.000002961DA85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2272141138.000001852E610000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2821800701.000001D5404F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2716685556.000002158023A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2437275862.000002263C20D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2964085586.0000021868719000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2164906312.000002C5C6CE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2796742101.000000B0DAD35000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2380691148.00000269E4A6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2904940607.000001D558FB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2784580394.00000215FE917000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3732158656.000001CB9B712000.00000002.00000001.01000000.0000004E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2579062937.0000027B66908000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2991860336.0000021869A58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2964085586.00000218686E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2728987603.000001DB5C4FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2160988199.000002C5AE2B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2273338686.000001852EEFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2890995099.000001D558DD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2810177979.000001D53FC7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2821800701.000001D5409B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2716685556.0000021580229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2783599588.0000026489BA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2927622612.0000024486520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2273338686.000001852EEC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2822805972.000002961D8AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B670F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2821800701.000001D540471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2272141138.000001852E64D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2901823313.0000013FED555000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2980050197.000002449F4AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2270476521.0000013F5A7A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2269430575.0000013F41DF2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2164936379.000002C5C6D43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2718479214.000002944DBBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2283821517.000001F108615000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3320390097.000001CB82FAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2437275862.000002263C607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2272141138.000001852E694000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.0000021800584000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2728987603.000001DB5C4F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2914256319.000002448624C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2273338686.000001852EE87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3320390097.000001CB82F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2964085586.00000218687A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2783599588.0000026489BDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2806142232.000002961CEA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.00000218006ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.000002180090C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2283821517.000001F108590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2605293146.0000027B7FD3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2816243868.000002648A541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2696677419.000002D683CA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B67521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2380691148.00000269E4AA2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B67648000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2821800701.000001D540A3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000000.2687330507.000002961CC52000.00000002.00000001.01000000.0000002C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2758503201.000002944E94A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2578123901.0000027B001DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2964085586.00000218686E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2767597626.00000215FD76C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2718479214.000002944DBF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2364821754.000001F907160000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2978934094.0000021869540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.2106152856.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2269551322.0000013F41FA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2437275862.000002263C2C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2364593765.000001F906F33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2598077770.0000027B7F7AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2810177979.000001D53FC5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000003.2710479187.0000000004D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2978934094.00000218694F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2268569474.0000013F41710000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2767597626.00000215FD785000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2268622042.0000013F4177D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2437275862.000002263C279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2406223672.00007FF89FF79000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2434672436.000002263B84B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2284589508.000001F108BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2914256319.0000024486240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2380074514.00000269E49B0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2977107535.000002449F460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2434672436.000002263B898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2674549384.000002D683AED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2821800701.000001D540644000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2821800701.000001D5404E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2761259556.00000215FD700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000000.2617750941.00000244861C2000.00000002.00000001.01000000.00000026.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2268622042.0000013F41730000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.00000218009B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3319498796.000001CB82F02000.00000002.00000001.01000000.0000004D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000000.2244442728.0000013F415E2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.2895959502.0000013FED620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2822805972.000002961DE1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2784580394.00000215FE8C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2728987603.000001DB5C53E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2816243868.000002648A5C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2822805972.000002961D906000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3314224341.000001CB8293F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.0000021800377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2160988199.000002C5AE234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2160988199.000002C5AE23A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2806142232.000002961CE9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.000002180094C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000000.2647790418.000002D683892000.00000002.00000001.01000000.00000028.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2806807839.000000B0DD1F4000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2705317497.000002D684221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2822805972.000002961DDA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2391241657.00000269FE7F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2819356519.000001D53FEE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.00000218004E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2160988199.000002C5AE2FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.2271976628.000001852E580000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2269551322.0000013F41F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2991860336.0000021869A64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2159786802.000002C5AC600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3314224341.000001CB82901000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.2807215547.0000021800713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2603432372.0000027B7FCDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.2170478630.00000000046DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2784580394.00000215FE8B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.2063828795.0000000004534000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2437275862.000002263C051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2804841516.0000029466C55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.2980050197.000002449F49F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2108722058.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2754905148.000001DB5C752000.00000002.00000001.01000000.00000036.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2758503201.000002944E493000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3311782814.0000002ED9F51000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2382587021.00000269E581F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000003.2075226242.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2903899814.0000029635ED3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.3320390097.000001CB82F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2716685556.000002158016F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000000.2675329099.000002944D9B2000.00000002.00000001.01000000.0000002A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2762286308.000001DB5CDE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2382587021.00000269E5281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2758503201.000002944E678000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2716685556.0000021580020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2822805972.000002961DABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7120, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1600, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5244, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 5404, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 5448, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6720, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7060, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 1848, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 4712, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 4524, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 5304, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 2072, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 6540, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 6716, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7504, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7588, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 7656, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 7696, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageTicketing.exe PID: 7780, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageSTRemote.exe PID: 7812, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 7912, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageInternalPoller.exe PID: 7972, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageOsUpdates.exe PID: 8084, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageHeartbeat.exe PID: 8140, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5772, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageProgramManagement.exe PID: 4508, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 320, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Windows\Temp\~DFCE3F0DE558344BD6.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF4DE34DAD7D3601C7.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF5E319E7646B18B95.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF23C39B378EC4AF4F.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF93CF73A321659BF9.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFBF46613FB0EC149F.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFDCD3E3178C7DA434.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\AteraSetupLog.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\42b8c5.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF0E46AA4143BA933B.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFAB8C01D75D048A21.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF48243D498F4590B8.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\42b8c0.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF766EA6E4B5F83B09.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIF074.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIBCE7.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF00F0C3246A438DDE.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF3799968C382D1BD4.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSICC98.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFEF3CEE6A03484DCA.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIB567.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIE45B.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF419CAFE4B9E9973D.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD70EE075D533C6D0.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFB620A0199B5C5F87.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSICE7D.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\42b8cd.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFB40092767CAD3D25.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSID66F.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIBA36.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\09-05-2024 11_24_15-log.txt, type: DROPPED
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FF89FE2B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,34_2_00007FF89FE2B9F0

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		1
                                Replication Through Removable Media                                		541
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		21
                                Disable or Modify Tools                                		OS Credential Dumping2
                                System Time Discovery                                		Remote Services11
                                Archive Collected Data                                		2
                                Encrypted Channel                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault Accounts1
                                Native API                                		1
                                DLL Side-Loading                                		22
                                Windows Service                                		11
                                Deobfuscate/Decode Files or Information                                		LSASS Memory11
                                Peripheral Device Discovery                                		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts1
                                Command and Scripting Interpreter                                		22
                                Windows Service                                		111
                                Process Injection                                		31
                                Obfuscated Files or Information                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		1
                                Timestomp                                		NTDS165
                                System Information Discovery                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts11
                                Service Execution                                		Network Logon ScriptNetwork Logon Script1
                                DLL Side-Loading                                		LSA Secrets1
                                Query Registry                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                File Deletion                                		Cached Domain Credentials671
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items123
                                Masquerading                                		DCSync11
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                Modify Registry                                		Proc Filesystem361
                                Virtualization/Sandbox Evasion                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt361
                                Virtualization/Sandbox Evasion                                		/etc/passwd and /etc/shadow1
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                                Rundll32                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1505009 Sample: SecuriteInfo.com.Program.Re... Startdate: 05/09/2024 Architecture: WINDOWS Score: 100 149 Multi AV Scanner detection for dropped file 2->149 151 Multi AV Scanner detection for submitted file 2->151 153 Yara detected AteraAgent 2->153 155 7 other signatures 2->155 8 AteraAgent.exe 2->8         started        13 msiexec.exe 173 118 2->13         started        15 AteraAgent.exe 2->15         started        17 4 other processes 2->17 process3 dnsIp4 139 18.66.112.125 MIT-GATEWAYSUS United States 8->139 93 C:\...\System.Management.dll, PE32 8->93 dropped 95 C:\...95ewtonsoft.Json.dll, PE32 8->95 dropped 97 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 8->97 dropped 105 278 other malicious files 8->105 dropped 163 Installs Task Scheduler Managed Wrapper 8->163 19 AgentPackageProgramManagement.exe 8->19         started        23 AgentPackageUpgradeAgent.exe 8->23         started        36 7 other processes 8->36 99 C:\Windows\Installer\MSIF922.tmp, PE32 13->99 dropped 101 C:\Windows\Installer\MSIE45B.tmp, PE32 13->101 dropped 103 C:\Windows\Installer\MSICC98.tmp, PE32 13->103 dropped 107 59 other files (50 malicious) 13->107 dropped 26 msiexec.exe 13->26         started        28 AteraAgent.exe 13->28         started        30 msiexec.exe 13->30         started        32 msiexec.exe 13->32         started        141 18.66.112.74 MIT-GATEWAYSUS United States 15->141 143 20.37.139.187 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->143 145 35.157.63.228 AMAZON-02US United States 15->145 109 27 other malicious files 15->109 dropped 165 Creates files in the system32 config directory 15->165 167 Reads the Security eventlog 15->167 169 Reads the System eventlog 15->169 38 6 other processes 15->38 34 conhost.exe 17->34         started        file5 signatures6 process7 dnsIp8 75 C:\Program Files (x86)\...\shimgen.exe, PE32 19->75 dropped 77 C:\Program Files (x86)\...\checksum.exe, PE32 19->77 dropped 87 12 other malicious files 19->87 dropped 157 Creates files in the system32 config directory 19->157 40 conhost.exe 19->40         started        129 20.60.197.1 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->129 79 C:\...\System.ValueTuple.dll, PE32 23->79 dropped 81 C:\Program Files (x86)\...\Pubnub.dll, PE32 23->81 dropped 83 C:\...83ewtonsoft.Json.dll, PE32 23->83 dropped 89 4 other malicious files 23->89 dropped 51 2 other processes 23->51 42 rundll32.exe 26->42         started        46 rundll32.exe 15 9 26->46         started        53 2 other processes 26->53 131 192.229.221.95 EDGECASTUS United States 28->131 133 93.184.221.240 EDGECASTUS European Union 28->133 91 2 other malicious files 28->91 dropped 159 Reads the Security eventlog 28->159 161 Reads the System eventlog 28->161 49 rundll32.exe 30->49         started        55 2 other processes 32->55 135 13.107.246.42 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->135 137 172.202.80.17 IFX18747US United States 36->137 85 C:\...\TicketingTray.exe (copy), PE32 36->85 dropped 57 8 other processes 36->57 59 7 other processes 38->59 file9 signatures10 process11 dnsIp12 111 C:\Windows\Installer\...111ewtonsoft.Json.dll, PE32 42->111 dropped 113 C:\...\AlphaControlAgentInstallation.dll, PE32 42->113 dropped 121 2 other files (none is malicious) 42->121 dropped 171 System process connects to network (likely due to code injection or exploit) 42->171 147 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 46->147 115 C:\Windows\Installer\...115ewtonsoft.Json.dll, PE32 46->115 dropped 123 3 other files (1 malicious) 46->123 dropped 125 4 other files (2 malicious) 49->125 dropped 117 C:\Windows\Installer\...117ewtonsoft.Json.dll, PE32 53->117 dropped 119 C:\...\AlphaControlAgentInstallation.dll, PE32 53->119 dropped 127 6 other files (2 malicious) 53->127 dropped 61 conhost.exe 55->61         started        63 net1.exe 55->63         started        65 conhost.exe 55->65         started        67 conhost.exe 57->67         started        69 cscript.exe 57->69         started        71 conhost.exe 59->71         started        73 cscript.exe 59->73         started        file13 signatures14 process15

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi21%ReversingLabsWin32.Trojan.Atera

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                42b8c6.rbf (copy)21%ReversingLabsWin32.Trojan.Atera
                                42b8c8.rbf (copy)0%ReversingLabs
                                42b8c9.rbf (copy)0%ReversingLabs
                                42b8ca.rbf (copy)0%ReversingLabs
                                42b8cb.rbf (copy)0%ReversingLabs
                                42b8cc.rbf (copy)0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe21%ReversingLabsWin32.Trojan.Atera
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll0%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                http://www.chambersign.org10%URL Reputationsafe
                                http://schemas.datacontract.org0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.1/AgentPackageMarketplace.zip0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip0%Avira URL Cloudsafe
                                http://pwnt.co0%Avira URL Cloudsafe
                                https://community.chocolatey.org/packages/checksum.0%Avira URL Cloudsafe
                                http://ocsp.suscerte.gob.ve00%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip0%Avira URL Cloudsafe
                                http://www.gnu.org/0%Avira URL Cloudsafe
                                https://ch0.co/packages_config0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgpT0%Avira URL Cloudsafe
                                https://chocolatey.org/compareH0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAgent.zip0%Avira URL Cloudsafe
                                https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgX0%Avira URL Cloudsafe
                                https://chocolatey.org/contact.0%Avira URL Cloudsafe
                                https://aka.ms/dotnet/app-launch-failed0%Avira URL Cloudsafe
                                http://logging.apache.org/log4net/release/faq.html#trouble-EventLog0%Avira URL Cloudsafe
                                https://nlog-project.org/0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zip0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/track-event0%Avira URL Cloudsafe
                                http://dl.google.com/googletalk/googletalk-setup.exe0%Avira URL Cloudsafe
                                https://atera-agent-heartbeat-cus.servicebus.windows.net0%Avira URL Cloudsafe
                                http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershell0%Avira URL Cloudsafe
                                https://community.chocolatey.org/packages/checksum)0%Avira URL Cloudsafe
                                http://crl.ssc.lt/root-c/cacrl.crl00%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIP0%Avira URL Cloudsafe
                                https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_config.gif0%Avira URL Cloudsafe
                                http://somewhere123zzaafasd.invalidUAttempting0%Avira URL Cloudsafe
                                http://somehwere/something.exe0%Avira URL Cloudsafe
                                http://www.suscerte.gob.ve/dpc00%Avira URL Cloudsafe
                                http://stackoverflow.com/questions/518181/too-many-automatic-redirections-were-attempted-error-messa0%Avira URL Cloudsafe
                                http://schemas.datacontract.org/2004/07/System.ServiceProcess0%Avira URL Cloudsafe
                                https://community.chocolatey.org/api/v2/h0%Avira URL Cloudsafe
                                https://docs.chocolatey.org/en-us/choco/commands/uninstall0%Avira URL Cloudsafe
                                https://my.splashtop.com/csrs/win0%Avira URL Cloudsafe
                                https://chocolatey.org/compare20%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z0%Avira URL Cloudsafe
                                http://wixtoolset.org0%Avira URL Cloudsafe
                                https://docs.chocolatey.org/en-us/create/automatic-packages#automatic-updater-au0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip0%Avira URL Cloudsafe
                                https://github.com/downloads/spraints/git-tfs/GitTfs-0.11.0.zip0%Avira URL Cloudsafe
                                https://chocolatey.org/compare.0%Avira URL Cloudsafe
                                https://community.chocolatey.org/api/v2/p0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/track-event;0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformati0%Avira URL Cloudsafe
                                http://atera-agent-heartbeat-cus.servicebus.windows.net0%Avira URL Cloudsafe
                                http://acontrol.atera.com/0%Avira URL Cloudsafe
                                https://docs.nuget.org/create/Nuspec-Reference.0%Avira URL Cloudsafe
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=31afed18-0b39-4a6c-a9ae-142f45da6aa50%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/dynamic-fields/0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip0%Avira URL Cloudsafe
                                https://docs.chocolatey.org/en-us/guides/create/create-custom-package-templates0%Avira URL Cloudsafe
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%Avira URL Cloudsafe
                                https://community.chocolatey.org/api/v2/0%Avira URL Cloudsafe
                                https://ps.ateHr0%Avira URL Cloudsafe
                                https://community.chocolatey.org/api/v20%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE0%Avira URL Cloudsafe
                                https://community.chocolatey.org/packages).0%Avira URL Cloudsafe
                                https://docs.chocolatey.org/en-us/create/functions/get-toolslocation0%Avira URL Cloudsafe
                                https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkg0%Avira URL Cloudsafe
                                http://crl.ssc.lt/root-b/cacrl.crl00%Avira URL Cloudsafe
                                https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_outdated.gif0%Avira URL Cloudsafe
                                https://docs.chocolatey.org/en-us/create/functions/uninstall-binfile0%Avira URL Cloudsafe
                                https://community.chocolatey.org/packages/autohotkey.portable0%Avira URL Cloudsafe
                                https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnosti0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery0%Avira URL Cloudsafe
                                https://licensedpackages.chocolatey.org/api/v2/0%Avira URL Cloudsafe
                                http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf00%Avira URL Cloudsafe
                                http://www.w3.or0%Avira URL Cloudsafe
                                https://gist.github.com/jvshahid/6fb2f91fa7fb1db235990%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAg0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zip0%Avira URL Cloudsafe
                                https://aka.ms/dotnet/app-launch-failed&gui=trueShowing0%Avira URL Cloudsafe
                                https://community.chocolatey.org/api/v2/80%Avira URL Cloudsafe
                                https://docs.chocolatey.org/en-us/create/functions/get-osarchitecturewidth0%Avira URL Cloudsafe
                                https://somewhere/bob.exe0%Avira URL Cloudsafe
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=84204da8-7f16-4194-9ed4-b10921ed652c0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip0%Avira URL Cloudsafe
                                https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateyzippackage0%Avira URL Cloudsafe
                                https://agent-api.atera.com0%Avira URL Cloudsafe
                                https://github.com/dotnet/runtimeu0%Avira URL Cloudsafe
                                https://www.nuget.org/packages/NLog.Web.AspNetCore0%Avira URL Cloudsafe
                                https://docs.chocolatey.org/en-us/create/functions/install-chocolateyshortcut0%Avira URL Cloudsafe
                                https://github.com/dahlbyk/posh-git/blob/1941da2472eb668cde2d6a5fc921d5043a024386/LICENSE.txt0%Avira URL Cloudsafe
                                http://www.jrsoftware.org/ishelp/index.php?topic=setupexitcodes0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/GetCommands0%Avira URL Cloudsafe
                                http://www.w3.oh0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageA0%Avira URL Cloudsafe
                                https://community.chocolatey.org/api/v2/.0%Avira URL Cloudsafe
                                https://chocolatey.org/comparep0%Avira URL Cloudsafe
                                http://somewhere123zzaafasd.invalid0%Avira URL Cloudsafe
                                http://schemas.xmlsoap.org/wsdl/0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/A0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?0%Avira URL Cloudsafe
                                http://nlog-project.org/ws/0%Avira URL Cloudsafe
                                http://crl3.digice0%Avira URL Cloudsafe
                                http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT0%Avira URL Cloudsafe
                                https://urn.to/r/sds_see0%Avira URL Cloudsafe
                                https://ps.atera.com/a0%Avira URL Cloudsafe

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.gnu.org/AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zipAteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://pwnt.coAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zipAteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ch0.co/packages_configAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgpTAteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://ocsp.suscerte.gob.ve0AteraAgent.exe, 0000000E.00000002.2577969344.0000027B001C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.datacontract.orgAteraAgent.exe, 0000000D.00000002.2160988199.000002C5AE23A000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.1/AgentPackageMarketplace.zipAteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/packages/checksum.AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://chocolatey.org/compareHAgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DABE000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgXAgentPackageTicketing.exe, 0000002D.00000002.3320390097.000001CB82FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zipAteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAgent.zipAteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://logging.apache.org/log4net/release/faq.html#trouble-EventLogAgentPackageProgramManagement.exe, 0000003A.00000002.2817292245.000002961D4E2000.00000002.00000001.01000000.00000044.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.chambersign.org1AteraAgent.exe, 0000000E.00000002.2577813257.0000027B00191000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://chocolatey.org/contact.AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://nlog-project.org/AgentPackageMonitoring.exe, 00000022.00000002.2390537214.00000269FDDC8000.00000002.00000001.01000000.00000022.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000005.00000002.2106152856.0000000005074000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2106152856.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://aka.ms/dotnet/app-launch-failedAteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://dl.google.com/googletalk/googletalk-setup.exeAgentPackageAgentInformation.exe, 00000013.00000000.2244442728.0000013F415E2000.00000002.00000001.01000000.00000016.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://atera-agent-heartbeat-cus.servicebus.windows.netAgentPackageHeartbeat.exe, 00000037.00000002.2762286308.000001DB5CEEE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 00000037.00000002.2762286308.000001DB5CDE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/packages/checksum)AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmp, Install-ChocolateyZipPackage.ps1.58.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershellAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.ssc.lt/root-c/cacrl.crl0AteraAgent.exe, 0000000E.00000002.2578123901.0000027B001DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIPAteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://stackoverflow.com/questions/518181/too-many-automatic-redirections-were-attempted-error-messaAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://somewhere123zzaafasd.invalidUAttemptingAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://somehwere/something.exeAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_config.gifAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.suscerte.gob.ve/dpc0AteraAgent.exe, 0000000E.00000002.2577969344.0000027B001C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000D.00000002.2160988199.000002C5AE23A000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/api/v2/hAgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/choco/commands/uninstallAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://my.splashtop.com/csrs/winAgentPackageSTRemote.exe, 0000002F.00000000.2647790418.000002D683892000.00000002.00000001.01000000.00000028.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://chocolatey.org/compare2AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DABE000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/create/automatic-packages#automatic-updater-auAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/downloads/spraints/git-tfs/GitTfs-0.11.0.zipAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmp, Install-ChocolateyZipPackage.ps1.58.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://wixtoolset.orgrundll32.exe, 00000004.00000003.2063828795.0000000004565000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.0000000004212000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.000000000470D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2710479187.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msifalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.ZAteraAgent.exe, 00000019.00000002.2807215547.00000218000EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000E.00000002.2580919878.0000027B67621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://chocolatey.org/compare.AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/api/v2/pAgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D906000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/track-event;rundll32.exe, 00000005.00000002.2106152856.00000000050B6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004C16000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformatiAteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67177000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://acontrol.atera.com/AteraAgent.exe, 0000000D.00000000.2121397249.000002C5AC432000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800001000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=31afed18-0b39-4a6c-a9ae-142f45da6aa5AteraAgent.exe, 00000019.00000002.2807215547.0000021800080000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://atera-agent-heartbeat-cus.servicebus.windows.netAgentPackageHeartbeat.exe, 00000037.00000002.2762286308.000001DB5CEFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/dynamic-fields/AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C279000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.nuget.org/create/Nuspec-Reference.AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.00000218000B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/guides/create/create-custom-package-templatesAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerundll32.exe, 00000005.00000002.2106152856.0000000005074000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2106152856.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004B31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2269551322.0000013F41FA3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2273338686.000001852EEFF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C279000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C051000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5409B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2928832701.0000024486A31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3320390097.000001CB82F31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 0000002F.00000002.2705317497.000002D684298000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000033.00000002.2716685556.0000021580020000.00000004.00000800.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 00000037.00000002.2762286308.000001DB5CDE1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/api/v2/AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DABE000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/packages).AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/create/functions/get-toolslocationAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/api/v2AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLEAteraAgent.exe, 00000019.00000002.2807215547.00000218009B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.ateHrAteraAgent.exe, 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkgAgentPackageTicketing.exe, 0000002D.00000002.3320390097.000001CB82FAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3319498796.000001CB82F02000.00000002.00000001.01000000.0000004D.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.ssc.lt/root-b/cacrl.crl0AteraAgent.exe, 0000000E.00000002.2577904826.0000027B001B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://raw.githubusercontent.com/wiki/chocolatey/choco/images/gifs/choco_outdated.gifAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/create/functions/uninstall-binfileAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscoveryAteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0AteraAgent.exe, 0000000E.00000002.2577860180.0000027B001AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://licensedpackages.chocolatey.org/api/v2/AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnostiAgentPackageTicketing.exe, 0000002D.00000002.3319498796.000001CB82F02000.00000002.00000001.01000000.0000004D.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.w3.orAgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DD5D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DE1E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961DABE000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/packages/autohotkey.portableAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://gist.github.com/jvshahid/6fb2f91fa7fb1db23599AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296367E1000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgAteraAgent.exe, 0000000E.00000002.2580919878.0000027B6717F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zipAteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://somewhere/bob.exeAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/api/v2/8AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D906000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://aka.ms/dotnet/app-launch-failed&gui=trueShowingAteraAgent.exe, 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/create/functions/get-osarchitecturewidthAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=84204da8-7f16-4194-9ed4-b10921ed652cAteraAgent.exe, 0000000E.00000002.2580919878.0000027B6717F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/create/functions/uninstall-chocolateyzippackageAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.comrundll32.exe, 00000004.00000003.2063828795.0000000004534000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2106152856.0000000005074000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2106152856.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2075226242.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2108722058.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2212651176.0000000004B31000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2170478630.00000000046DC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2269551322.0000013F41FA3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2273338686.000001852EEFF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C249000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C20D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C279000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2437275862.000002263C051000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000026.00000002.2821800701.000001D5409B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3320390097.000001CB82F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/dotnet/runtimeuMicrosoft.Extensions.Hosting.dll.25.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.nuget.org/packages/NLog.Web.AspNetCoreAgentPackageMonitoring.exe, 00000022.00000002.2390537214.00000269FDDC8000.00000002.00000001.01000000.00000022.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/dahlbyk/posh-git/blob/1941da2472eb668cde2d6a5fc921d5043a024386/LICENSE.txtAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://docs.chocolatey.org/en-us/create/functions/install-chocolateyshortcutAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.w3.ohAteraAgent.exe, 0000000D.00000002.2160988199.000002C5AE23A000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jrsoftware.org/ishelp/index.php?topic=setupexitcodesAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.00000296365D2000.00000002.00000001.01000000.00000047.sdmp, Start-ChocolateyProcessAsAdmin.ps1.58.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/GetCommandsAteraAgent.exe, 0000000E.00000002.2580919878.0000027B6717F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2580919878.0000027B670F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAAteraAgent.exe, 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://chocolatey.org/comparepAgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D906000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.chocolatey.org/api/v2/.AgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://somewhere123zzaafasd.invalidAgentPackageProgramManagement.exe, 0000003A.00000002.2919280057.0000029636854000.00000002.00000001.01000000.00000047.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?AteraAgent.exe, 00000019.00000002.2807215547.000002180094C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/wsdl/AgentPackageProgramManagement.exe, 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/AAteraAgent.exe, 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://nlog-project.org/ws/AgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl3.digiceAteraAgent.exe, 00000019.00000002.2991860336.0000021869AE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTAgentPackageMonitoring.exe, 00000022.00000002.2389765735.00000269FDCF2000.00000002.00000001.01000000.00000022.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/aAteraAgent.exe, 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://urn.to/r/sds_seeAgentPackageMonitoring.exe, 00000022.00000002.2389296880.00000269FDC82000.00000002.00000001.01000000.00000021.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                40.119.152.241
                                		unknownUnited States
                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                93.184.221.240
                                		unknownEuropean Union
                                		15133EDGECASTUSfalse
                                18.66.112.125
                                		unknownUnited States
                                		3MIT-GATEWAYSUSfalse
                                13.107.246.42
                                		unknownUnited States
                                		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                35.157.63.228
                                		unknownUnited States
                                		16509AMAZON-02USfalse
                                20.37.139.187
                                		unknownUnited States
                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                172.202.80.17
                                		unknownUnited States
                                		18747IFX18747USfalse
                                192.229.221.95
                                		unknownUnited States
                                		15133EDGECASTUSfalse
                                20.60.197.1
                                		unknownUnited States
                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                18.66.112.74
                                		unknownUnited States
                                		3MIT-GATEWAYSUSfalse

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1505009
                                Start date and time:2024-09-05 17:22:08 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 13m 48s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:65
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Sample name:SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winMSI@106/597@0/10
                                EGA Information:
                                • Successful, ratio: 16.7%
                                HCA Information:
                                • Successful, ratio: 65%
                                • Number of executed functions: 394
                                • Number of non-executed functions: 2
                                Cookbook Comments:
                                • Found application associated with file extension: .msi

                                Warnings

                                • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 1848 because it is empty
                                • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 4712 because it is empty
                                • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7060 because it is empty
                                • Execution Graph export aborted for target AteraAgent.exe, PID 4524 because it is empty
                                • Execution Graph export aborted for target AteraAgent.exe, PID 5404 because it is empty
                                • Execution Graph export aborted for target AteraAgent.exe, PID 5448 because it is empty
                                • Execution Graph export aborted for target rundll32.exe, PID 1600 because it is empty
                                • Execution Graph export aborted for target rundll32.exe, PID 5244 because it is empty
                                • Execution Graph export aborted for target rundll32.exe, PID 6720 because it is empty
                                • Execution Graph export aborted for target rundll32.exe, PID 7120 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.
                                • Skipping network analysis since amount of network traffic is too extensive
                                • VT rate limit hit for: SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                11:23:08API Interceptor2x Sleep call for process: rundll32.exe modified
                                11:23:12API Interceptor1418x Sleep call for process: AteraAgent.exe modified
                                11:23:25API Interceptor37x Sleep call for process: AgentPackageAgentInformation.exe modified
                                11:23:34API Interceptor14x Sleep call for process: AgentPackageMonitoring.exe modified
                                11:24:05API Interceptor1x Sleep call for process: AgentPackageSTRemote.exe modified
                                11:24:07API Interceptor13x Sleep call for process: AgentPackageHeartbeat.exe modified
                                11:24:08API Interceptor22795x Sleep call for process: AgentPackageTicketing.exe modified
                                11:24:08API Interceptor1x Sleep call for process: AgentPackageInternalPoller.exe modified
                                11:24:15API Interceptor19x Sleep call for process: AgentPackageProgramManagement.exe modified
                                11:24:28API Interceptor6x Sleep call for process: AgentPackageUpgradeAgent.exe modified
                                17:24:04Task SchedulerRun new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun
                                17:25:24AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {ff783edd-4e4e-491d-9d9c-72f3aa70cedf} "C:\ProgramData\Package Cache\{ff783edd-4e4e-491d-9d9c-72f3aa70cedf}\dotnet-runtime-6.0.32-win-x64.exe" /burn.runonce

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                40.119.152.241SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msiGet hashmaliciousAteraAgentBrowse
                                  Y3Wvl9aYAU.cmdGet hashmaliciousAteraAgentBrowse
                                    SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiGet hashmaliciousAteraAgentBrowse
                                      SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msiGet hashmaliciousAteraAgentBrowse
                                        4PP--0001S4D8S_DANFE000S1AS4SD5555522A1111.msiGet hashmaliciousAteraAgentBrowse
                                          setup_it_security (1).msiGet hashmaliciousAteraAgentBrowse
                                            SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msiGet hashmaliciousAteraAgentBrowse
                                              Adobe.msiGet hashmaliciousAteraAgentBrowse
                                                SecuriteInfo.com.Program.RemoteAdminNET.1.29844.msiGet hashmaliciousGhostRatBrowse
                                                  VirginMediaBill26012020.msiGet hashmaliciousGhostRatBrowse
                                                    93.184.221.240Rechnung.pdfGet hashmaliciousUnknownBrowse
                                                      Employee Appraisal Egrazak Hilcorp Agreement Signature Required.pdfGet hashmaliciousUnknownBrowse
                                                        Payment.pdfGet hashmaliciousHTMLPhisherBrowse
                                                          San Xavier District of the Tohono O#U2019odham Nation.pdfGet hashmaliciousUnknownBrowse
                                                            Murexltd Mail Security Update Required For gjohnson@murexltd.com.msgGet hashmaliciousHTMLPhisherBrowse
                                                              original (3).emlGet hashmaliciousUnknownBrowse
                                                                https://wavebrowser.co/Get hashmaliciousUnknownBrowse
                                                                  Remittance 728 Norriselectric0032xslx.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                    Review_Aonoro.pdfGet hashmaliciousUnknownBrowse
                                                                      2024AdoptionConference-WhovaDirections-Desktop.pdfGet hashmaliciousUnknownBrowse
                                                                        18.66.112.125https://www.easeus.com/backup-recovery/refresh-windows-11.htmlGet hashmaliciousUnknownBrowse
                                                                          13.107.246.42https://protect-us.mimecast.com/s/FVibCzpzxLsxEMXAhgAOBCGet hashmaliciousUnknownBrowse
                                                                          • www.mimecast.com/Customers/Support/Contact-support/
                                                                          http://border-fd.smartertechnologies.com/Get hashmaliciousUnknownBrowse
                                                                          • border-fd.smartertechnologies.com/
                                                                          https://protect-us.mimecast.com/s/4MrPCrkvgotDWxrNCzxa8pGet hashmaliciousUnknownBrowse
                                                                          • www.mimecast.com/

                                                                          Domains

                                                                          No context

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          EDGECASTUShttps://www.linkedin.com/redir/redirect?url=https://lookerstudio.google.com/s/o4pSLJjGIwU&urlhash=CUME&trk=article-ssr-frontend-pulse_little-text-blockGet hashmaliciousHTMLPhisherBrowse
                                                                          • 152.199.21.118
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 152.195.19.97
                                                                          https://bankatcitylogin.braincert.com/p/bankatcitycomcitynationalbankcitynationalloginaccessprofilevalidationid289393839bankatcitycitynationalbankcustomerloginverificationprofilecitynationalbankbankatcityGet hashmaliciousHTMLPhisher, PayPal PhisherBrowse
                                                                          • 192.229.221.25
                                                                          https://eu2.contabostorage.com/0f057bf4d91340d3ae18d5f31372fa7e:new/document.html#rthurston@democracyforward.orgGet hashmaliciousUnknownBrowse
                                                                          • 192.229.173.207
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 152.195.19.97
                                                                          https://dropboxlink.net/082f8223cc1f98d8?l=60Get hashmaliciousUnknownBrowse
                                                                          • 152.199.21.175
                                                                          https://dropboxlink.net/082f8223cc1f98d8?l=55Get hashmaliciousUnknownBrowse
                                                                          • 152.199.21.175
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 152.195.19.97
                                                                          https://www.carsoup.com/api/v1/connections/store?type=web_referrals&dealer_id=18689&redirect=https%3A%2F%2Flyn.bz/bbbGet hashmaliciousHTMLPhisherBrowse
                                                                          • 152.199.21.175
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 152.195.19.97
                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUShttps://jtielectrical-my.sharepoint.com/:f:/g/personal/wwise_jtielectric_com/EiRUStVFyApDuTy9pUHQbzMB7Ixh_nngG6WTsOeTzF4k1w?e=MsJpM6Get hashmaliciousUnknownBrowse
                                                                          • 52.98.175.18
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 40.71.99.188
                                                                          Startup_s_azuaeuvvvvdtazzggvapp.ecwcloud.com_A36jKKy3.exeGet hashmaliciousUnknownBrowse
                                                                          • 52.239.170.36
                                                                          Startup_s_azuaeuvvvvdtazzggvapp.ecwcloud.com_A36jKKy3.exeGet hashmaliciousUnknownBrowse
                                                                          • 52.239.170.36
                                                                          https://subscribe.pbn.com/PBN/?f=paidGet hashmaliciousUnknownBrowse
                                                                          • 52.188.77.88
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 40.71.99.188
                                                                          http://n275w6vy.r.us-east-1.awstrack.me/L0/http:%2F%2Fn275w6vy.r.us-east-1.awstrack.me%2FL0%2Fhttp:%252F%252Fmortgageboss.ca%252Flink.aspx%253Fcl=960%2526l=11524%2526c=17235431%2526cc=13729%2526url=%252F%252Fgoogle.com.%252F%252F%252F%252Famp%252Fs%252Fcafesmoothbfbfbjbkjbjkbfbhvfhjfbkflldsbdvdgdcshdsvdjdk.s3.amazonaws.com%252Findex.html%2F1%2F01000191be25d8dd-8215d659-ab73-4510-8075-c79794ab0f98-000000%2F7ZOmZdG4pAcYgqhcER2oX2XPqew=390/1/01000191be678b84-ebd7937b-2d68-44a5-a008-1fb7130870c6-000000/ZLSh1_21GOdIp8am4okkINu83E8=390Get hashmaliciousUnknownBrowse
                                                                          • 40.86.210.34
                                                                          https://dropboxlink.net/082f8223cc1f98d8?l=60Get hashmaliciousUnknownBrowse
                                                                          • 52.105.43.41
                                                                          https://dropboxlink.net/082f8223cc1f98d8?l=55Get hashmaliciousUnknownBrowse
                                                                          • 20.190.159.4
                                                                          SecuriteInfo.com.Linux.Siggen.9999.21080.24829.elfGet hashmaliciousMiraiBrowse
                                                                          • 104.215.214.145
                                                                          MIT-GATEWAYSUShttps://storage.googleapis.com/sd___mailweb/ENSNSNDHHHDHF____SENDNDSH.htmlGet hashmaliciousPhisherBrowse
                                                                          • 18.65.40.95
                                                                          https://eu2.contabostorage.com/0f057bf4d91340d3ae18d5f31372fa7e:new/document.html#rthurston@democracyforward.orgGet hashmaliciousUnknownBrowse
                                                                          • 18.64.236.10
                                                                          https://click.email.active.com/f/a/SUJ7LjYHubUm6EasvC5luw~~/AAOtGgA~/RgRouWpfP0SraHR0cHM6Ly9jb21tdXNlcnVpLmFjdGl2ZS5jb20vY2xpY2svMS8xNTQwMDk3MDIvMWYzNzZhMjQtYTU2MC00OWZiLThmZWItOTc4OWI0MWFiNGU3LzdhMzRmYmU4LWIyZWUtNDEwNS1iMTkxLTg3NDBhODgxODVhOD9lPTkwMjk1NDA1Jmk9ZjdkNDU5MzgtMmFjMS00OTlmLWE1ZDItMzQ2YzVmY2JjMjYwVwNzcGNCCmbPX-XWZjFRC_5SE3ppYWQub3NtYW5pQGNnaS5jb21YBAAAAAg~Get hashmaliciousUnknownBrowse
                                                                          • 18.65.39.29
                                                                          https://www.bpcmag.com/case-studies/kalinka-b-ivanova-holt-cat/Get hashmaliciousUnknownBrowse
                                                                          • 18.165.122.66
                                                                          SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elfGet hashmaliciousMiraiBrowse
                                                                          • 19.138.118.185
                                                                          SecuriteInfo.com.Linux.Siggen.9999.8352.26322.elfGet hashmaliciousMiraiBrowse
                                                                          • 18.115.13.9
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 18.65.39.4
                                                                          debug.dbg.elfGet hashmaliciousMirai, MoobotBrowse
                                                                          • 19.56.223.205
                                                                          mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                                          • 18.5.64.116
                                                                          mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                          • 18.60.174.172
                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUShttps://jtielectrical-my.sharepoint.com/:f:/g/personal/wwise_jtielectric_com/EiRUStVFyApDuTy9pUHQbzMB7Ixh_nngG6WTsOeTzF4k1w?e=MsJpM6Get hashmaliciousUnknownBrowse
                                                                          • 52.98.175.18
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 40.71.99.188
                                                                          Startup_s_azuaeuvvvvdtazzggvapp.ecwcloud.com_A36jKKy3.exeGet hashmaliciousUnknownBrowse
                                                                          • 52.239.170.36
                                                                          Startup_s_azuaeuvvvvdtazzggvapp.ecwcloud.com_A36jKKy3.exeGet hashmaliciousUnknownBrowse
                                                                          • 52.239.170.36
                                                                          https://subscribe.pbn.com/PBN/?f=paidGet hashmaliciousUnknownBrowse
                                                                          • 52.188.77.88
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                          • 40.71.99.188
                                                                          http://n275w6vy.r.us-east-1.awstrack.me/L0/http:%2F%2Fn275w6vy.r.us-east-1.awstrack.me%2FL0%2Fhttp:%252F%252Fmortgageboss.ca%252Flink.aspx%253Fcl=960%2526l=11524%2526c=17235431%2526cc=13729%2526url=%252F%252Fgoogle.com.%252F%252F%252F%252Famp%252Fs%252Fcafesmoothbfbfbjbkjbjkbfbhvfhjfbkflldsbdvdgdcshdsvdjdk.s3.amazonaws.com%252Findex.html%2F1%2F01000191be25d8dd-8215d659-ab73-4510-8075-c79794ab0f98-000000%2F7ZOmZdG4pAcYgqhcER2oX2XPqew=390/1/01000191be678b84-ebd7937b-2d68-44a5-a008-1fb7130870c6-000000/ZLSh1_21GOdIp8am4okkINu83E8=390Get hashmaliciousUnknownBrowse
                                                                          • 40.86.210.34
                                                                          https://dropboxlink.net/082f8223cc1f98d8?l=60Get hashmaliciousUnknownBrowse
                                                                          • 52.105.43.41
                                                                          https://dropboxlink.net/082f8223cc1f98d8?l=55Get hashmaliciousUnknownBrowse
                                                                          • 20.190.159.4
                                                                          SecuriteInfo.com.Linux.Siggen.9999.21080.24829.elfGet hashmaliciousMiraiBrowse
                                                                          • 104.215.214.145

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          42b8c6.rbf (copy)Y3Wvl9aYAU.cmdGet hashmaliciousAteraAgentBrowse
                                                                            SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiGet hashmaliciousAteraAgentBrowse
                                                                              SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msiGet hashmaliciousAteraAgentBrowse
                                                                                4PP--0001S4D8S_DANFE000S1AS4SD5555522A1111.msiGet hashmaliciousAteraAgentBrowse
                                                                                  setup_it_security (1).msiGet hashmaliciousAteraAgentBrowse
                                                                                    Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                                                      SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msiGet hashmaliciousAteraAgentBrowse
                                                                                        forumapp.msiGet hashmaliciousAteraAgentBrowse
                                                                                          Adobe.msiGet hashmaliciousAteraAgentBrowse
                                                                                            VANTAGENS_BBCLIENTES00001S4D444400000S.msiGet hashmaliciousAteraAgentBrowse
                                                                                              42b8c8.rbf (copy)Y3Wvl9aYAU.cmdGet hashmaliciousAteraAgentBrowse
                                                                                                SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiGet hashmaliciousAteraAgentBrowse
                                                                                                  SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msiGet hashmaliciousAteraAgentBrowse
                                                                                                    4PP--0001S4D8S_DANFE000S1AS4SD5555522A1111.msiGet hashmaliciousAteraAgentBrowse
                                                                                                      setup_it_security (1).msiGet hashmaliciousAteraAgentBrowse
                                                                                                        Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                                                                          SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msiGet hashmaliciousAteraAgentBrowse
                                                                                                            forumapp.msiGet hashmaliciousAteraAgentBrowse
                                                                                                              Adobe.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                VANTAGENS_BBCLIENTES00001S4D444400000S.msiGet hashmaliciousAteraAgentBrowse

                                                                                                                  Created / dropped Files

                                                                                                                  42b8c6.rbf (copy)

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):145968
                                                                                                                  Entropy (8bit):5.874150428357998
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                  MD5:477293F80461713D51A98A24023D45E8
                                                                                                                  SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                  SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                  SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                  Joe Sandbox View:
                                                                                                                  • Filename: Y3Wvl9aYAU.cmd, Detection: malicious, Browse
                                                                                                                  • Filename: SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi, Detection: malicious, Browse
                                                                                                                  • Filename: SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, Detection: malicious, Browse
                                                                                                                  • Filename: 4PP--0001S4D8S_DANFE000S1AS4SD5555522A1111.msi, Detection: malicious, Browse
                                                                                                                  • Filename: setup_it_security (1).msi, Detection: malicious, Browse
                                                                                                                  • Filename: Guidelines_for_Citizen_Safety.msi, Detection: malicious, Browse
                                                                                                                  • Filename: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi, Detection: malicious, Browse
                                                                                                                  • Filename: forumapp.msi, Detection: malicious, Browse
                                                                                                                  • Filename: Adobe.msi, Detection: malicious, Browse
                                                                                                                  • Filename: VANTAGENS_BBCLIENTES00001S4D444400000S.msi, Detection: malicious, Browse
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                  42b8c7.rbf (copy)

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1442
                                                                                                                  Entropy (8bit):5.076953226383825
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                  MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                  SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                  SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                  SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                  Malicious:false
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                  42b8c8.rbf (copy)

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):215088
                                                                                                                  Entropy (8bit):6.030864151731967
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                  MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                  SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                  SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                  SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Joe Sandbox View:
                                                                                                                  • Filename: Y3Wvl9aYAU.cmd, Detection: malicious, Browse
                                                                                                                  • Filename: SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msi, Detection: malicious, Browse
                                                                                                                  • Filename: SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msi, Detection: malicious, Browse
                                                                                                                  • Filename: 4PP--0001S4D8S_DANFE000S1AS4SD5555522A1111.msi, Detection: malicious, Browse
                                                                                                                  • Filename: setup_it_security (1).msi, Detection: malicious, Browse
                                                                                                                  • Filename: Guidelines_for_Citizen_Safety.msi, Detection: malicious, Browse
                                                                                                                  • Filename: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi, Detection: malicious, Browse
                                                                                                                  • Filename: forumapp.msi, Detection: malicious, Browse
                                                                                                                  • Filename: Adobe.msi, Detection: malicious, Browse
                                                                                                                  • Filename: VANTAGENS_BBCLIENTES00001S4D444400000S.msi, Detection: malicious, Browse
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                  42b8c9.rbf (copy)

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710192
                                                                                                                  Entropy (8bit):5.96048066969898
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                  MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                  SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                  SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                  SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  42b8ca.rbf (copy)

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):602672
                                                                                                                  Entropy (8bit):6.145404526272746
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                  MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                  SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                  SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                  SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                  42b8cb.rbf (copy)

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):73264
                                                                                                                  Entropy (8bit):5.954475034553661
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                  MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                  SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                  SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                  SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                  42b8cc.rbf (copy)

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3318832
                                                                                                                  Entropy (8bit):6.534876879948643
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                  MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                  SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                  SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                  SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                  C:\Config.Msi\42b8c0.rbs

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8901
                                                                                                                  Entropy (8bit):5.664201301313878
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:Vjjxz1ccbTOOeMeyt6117r6IHf17r6kAVv70HVotBVeZEmzmYpLAV77r0pY9Xr:V/D2VVpVtiB2i7
                                                                                                                  MD5:050EA07784DFCA7D0BDB6F442C763FEB
                                                                                                                  SHA1:536AA613A847856A30912A6D80B5063A6286588E
                                                                                                                  SHA-256:0C15688A9C48A11123CE51B39677BA444FC3FC764420067904844A1F79A51427
                                                                                                                  SHA-512:CC474552581AC87ACF679A04A9510F8E885D460E6B293F1424059E7FFE74ED340991E5A063CFFCF7B265CDD7C25EC058C05A685F551C3999D42BA96C5ED9645E
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\42b8c0.rbs, Author: Joe Security
                                                                                                                  Preview:...@IXOS.@.....@.Z%Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent8.SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657

                                                                                                                  C:\Config.Msi\42b8c5.rbs

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):9567
                                                                                                                  Entropy (8bit):5.569845301227191
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:gjjGHcRxbLCsgRubLCMDp17qEVl0pHLALtyD0qagukGGhaKfmbHt1faukIrEcZ:g/1RFgRYd4KKLuFT
                                                                                                                  MD5:C1D3DE6ADD23D2DEDFE661B5E847997D
                                                                                                                  SHA1:48183D35131B1C15D44303E8655986FE60475F6F
                                                                                                                  SHA-256:08C8A139DA9DCC159F99F6DE9D09623436797A8E5F99953B0E8F055525E3F10B
                                                                                                                  SHA-512:2B90A15175544749424214C086031A4517F0BA1F2601E2183F4F3CE038B6E678CFBEF6C2EC6F64067F0430F3FB9FE4EF43AF985CFFDD424FDE21D90EC6D39498
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\42b8c5.rbs, Author: Joe Security
                                                                                                                  Preview:...@IXOS.@.....@.[%Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent8.SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\42b8c1.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....%...AuthorizedCDFPrefix%...Comments%...Contact%...D

                                                                                                                  C:\Config.Msi\42b8cd.rbs

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8767
                                                                                                                  Entropy (8bit):5.654201242353794
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:4y7wo+fncHMed91F6ITF6k7s5VNpkxYpLso:4Po+fncHxbFVFtSNpkcP
                                                                                                                  MD5:0265F830DB121C9480AF4F1883C3870B
                                                                                                                  SHA1:95F66FF438317851331D76A3A2B09719048AA442
                                                                                                                  SHA-256:8B78E04E0D7FAACDA2104CE8F651FC9353127C91A7BAB9DD36D40FE1FAEB0E8E
                                                                                                                  SHA-512:E57F9A9E5D0FF272EF9709B9CC4B63B06E2D00C84CCFA6652444ECC58FE1B4A2632911175E31293F9E0879ECC07B17F7393467F7C4774E8D02E38C94BF14921F
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\42b8cd.rbs, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\42b8cd.rbs, Author: Joe Security
                                                                                                                  Preview:...@IXOS.@.....@.[%Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):753
                                                                                                                  Entropy (8bit):4.853078320826549
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                  MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                  SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                  SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                  SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                  Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):7466
                                                                                                                  Entropy (8bit):5.1606801095705865
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                  MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                  SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                  SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                  SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                  Malicious:false
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):145968
                                                                                                                  Entropy (8bit):5.874150428357998
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                  MD5:477293F80461713D51A98A24023D45E8
                                                                                                                  SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                  SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                  SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1442
                                                                                                                  Entropy (8bit):5.076953226383825
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                  MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                  SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                  SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                  SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                  Malicious:true
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3318832
                                                                                                                  Entropy (8bit):6.534876879948643
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                  MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                  SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                  SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                  SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):215088
                                                                                                                  Entropy (8bit):6.030864151731967
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                  MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                  SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                  SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                  SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710192
                                                                                                                  Entropy (8bit):5.96048066969898
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                  MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                  SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                  SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                  SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog.zip

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1966298
                                                                                                                  Entropy (8bit):7.9989725851892
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:24576:HELBDnMsmlLa7SwvAQAQI3/ehJQmjJaLbjvQInz96/pU7jy5EFgxivT9rnzvDbOU:kJMJig3/ekmlQjvQQLUNxqrzrmniuxa
                                                                                                                  MD5:B110BA42CA8D339B18293AC3F1E94F03
                                                                                                                  SHA1:E21AC41D052159076B34823D2653DB0DECDF7F8C
                                                                                                                  SHA-256:C860712A06A55CDDDFED7A9F86F0DF36DA1E475B9901148D07D5B02331BA0F77
                                                                                                                  SHA-512:D81EFA032F3FF5EDC247440CFF1E911A82230B757C02534209FEAD7ECF630FE5308F9A32A78CC229F175CB447735D539EB61039BFB4FF9F8E77B8DBCCDA2B0BA
                                                                                                                  Malicious:false
                                                                                                                  Preview:PK........@BrX................Agent.Package.Watchdog/PK........0BrXG...>.......7...Agent.Package.Watchdog/Agent.Package.Watchdog.deps.json.6.J.U.,..{..d.....7......#L..I.....L.PB.=...H.^Hnw....tq.!Ym.w.%@'.I.Xa...6|...@.z.V+C...o.Nu...!*..t....4..A...l..$....KX....p..&......?g..*..../.....I..(...U..g.4..BD.......i.J.+:........'..8...n.~j..,.[....Z.@l...t...d......9.X..8e..=..?..`....V>.......@A..D.........~. \:H..9..p.+...\.PGT8......~...AJ....... ..E...X..RJ.9.v.....;.i.#C.._..d.c.z..:....m....5..*...7....Jx...T....b.z..p.0f...8..ya..p6..ns.K,X.t...`{.j.....N..^.....A.....'n....ES...y.8b.....?Cg...}.......mjEg'.!Zs.,..o..3...~,E\........s..\.<.T..("..qMG)7f))X..x..Y..R..........k........z.r..[X..P....w....).k,.[.X[..4.z.)..Cy.e.D{.V|J.u..W..Bk[...<.o.@L.. .....s-.*..)....E].y'.....r....pQl^O..#......S.R.4.].b..E..e.i.:O..g..k...*...4..5...:. .."..y./....U....2......?.\C.....a...COlQ...XE....j..j........X...1...6.o.j.W....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.deps.json

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:JSON data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):39359
                                                                                                                  Entropy (8bit):5.001117795800814
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:Yt5DUarXaaec21v5Oc5/MNXP4RBTEQ88jnfA:YvDUarXaaecC5Oc5/mXP4TTEuA
                                                                                                                  MD5:B4CB4604F8C7F02757664874D862DD77
                                                                                                                  SHA1:6FDB3AEBCEAAFBCFE21333DA021DCD96F8B78B7B
                                                                                                                  SHA-256:54289873BCDBAD889E6304E7E1B21D5973BBDD0E1AA73BD19382CFA23713D1CE
                                                                                                                  SHA-512:46C27C62CE35512643EE023630A264BFBE1CA41B18BA44E1659B3AF26C0A44E3ABA73D7B90DB77835A76CEE33035791887B722348AA98CB2C4CC9B32F30CEF01
                                                                                                                  Malicious:false
                                                                                                                  Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {.. "Agent.Package.Watchdog/1.5": {.. "dependencies": {.. "Atera.Agent.Package.Infrastructure": "1.2.4",.. "Atera.Agent.Package.Tools": "1.0.22",.. "System.ServiceProcess.ServiceController": "8.0.0",.. "TaskScheduler": "2.10.1".. },.. "runtime": {.. "Agent.Package.Watchdog.dll": {}.. }.. },.. "Atera.Agent.Package.Infrastructure/1.2.4": {.. "dependencies": {.. "Microsoft.Extensions.Hosting": "7.0.1",.. "Newtonsoft.Json": "13.0.3",.. "Polly": "7.2.3",.. "Serilog.Extensions.Hosting": "5.0.1",.. "Serilog.Sinks.File": "5.0.0".. },.. "runtime": {.. "lib/net6.0/Atera.Agent.Package.Infrastructure.dll": {.. "assemblyVersion": "1.2.4.0",.. "fileVe

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):35920
                                                                                                                  Entropy (8bit):6.456207579215664
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:kj2zXcZGQ2FEagbbE9xEHCC+ud1VEpYinAMxCin:4YCauE9xc+K1O7HxF
                                                                                                                  MD5:1E283F1A342729D63266E2DD2C851E2F
                                                                                                                  SHA1:47B2551B2F9C3E9E6F2D68E67B1E0D0A539F315E
                                                                                                                  SHA-256:98CE24EFC2EF680BFCD5D98E3AC273B148B0828D256ADBA003F57F66E1EC7FC4
                                                                                                                  SHA-512:BD84EDA89C91DFEFBAEB6EA952A3BAF2EDBDBCDAB08B5A4437DB2A1F21F82A7BDDBDE9C12C00FEC8CD99FCE75CD945D189EED083BD0AD77DB00353B631DD5D20
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^-............"...0..Z..........2y... ........@.. ...............................r....`..................................x..O....................d..P(...........x............................................... ............... ..H............text...8Y... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B.................y......H.......84...D............................................................{....*..{....*..{....*..{....*..{....*..{....*..(......}......}......}.......}.......}.......}....*....0...........u.......;.....9....(.....{.....{....o....,w(.....{.....{....o....,_( ....{.....{....o!...,G("....{.....{....o#...,/($....{.....{....o%...,.(&....{.....{....o'...*.*.*..0.......... ...9 )UU.Z(.....{....o(...X )UU.Z(.....{....o)...X )UU.Z( ....{....o*...X )UU.Z("....{....o+...X )UU.Z($....{..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):159824
                                                                                                                  Entropy (8bit):6.224052560324469
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:5czkitvo4BpYN/6mBPry8TXROLdW5m4mUR39OOGu0kpNY:5A4NCmBPry/N2jOOHS
                                                                                                                  MD5:0B7534A49A757D7525F7FC966D6CAF5F
                                                                                                                  SHA1:2548A8D4BFE81D194A42A6DF1761AB910DECCBCA
                                                                                                                  SHA-256:312755B522A3CB212A2D5E0DF2888699C35DE233A2DC198C37475E2BF414B0A1
                                                                                                                  SHA-512:4D3105E7669093DF8364543571D839D0FD573153EED27D82860984797FB30853C3F5FB7707BF97442D4AB71783012FBBB3D9AB1A2D6ACBEA335F06B756FD4796
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.............../......./......./.....a.....S../........"...I../....I../....Rich............................PE..d......e..........".................`<.........@..........................................`.................................................t$...............`..@....H..P(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.reloc...............>..............@..B.rsrc................B..............@..@........................................................................................................................................................................................................................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.ini

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):13
                                                                                                                  Entropy (8bit):3.7004397181410926
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:WhUkov:Wtov
                                                                                                                  MD5:4F935A094C5DB43100C1C6191F1D2257
                                                                                                                  SHA1:D35F739210BF40D4E936975C00BF90F015DA6847
                                                                                                                  SHA-256:01AC8D880AA7CB47A4C9475593AC81924D0D51CEB9C3276BA11F5848AFA05FE1
                                                                                                                  SHA-512:C60461AE0FE1DF07D67FC55012DCDA8E2615DBCEAA885EE1DB9FB2E4FCF71990730FBFA10300A957D8E1908D1B9FA61A36A665ED63C934E07958DC73606C5AF3
                                                                                                                  Malicious:false
                                                                                                                  Preview:version=1.5..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.runtimeconfig.json

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:JSON data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):253
                                                                                                                  Entropy (8bit):4.585549446641918
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:3Hp/hdNyhAkI/XCkyFNOJeZS1sHZeQ6NOCUo+K8EkNTy:dFkp5MeU1s5hex+K8Es2
                                                                                                                  MD5:24E4653829DE1022D01CD7DDD26E2F22
                                                                                                                  SHA1:9160A009CB381E044BA4C63E4435DA6BFEB9DC6D
                                                                                                                  SHA-256:DED3AEB5856A11DB0B654A785574490CAB55839EBFB17EFE9E39B89618FC5B91
                                                                                                                  SHA-512:EFD4BBBA1BAEC0B47003831510E3AA539DB9EF468E0F06BA9D7BA6D0B3800035F7C818D7D90171BFD377EC97D08C4617555BCFF635DD83EFCEB412B1A9CCA820
                                                                                                                  Malicious:false
                                                                                                                  Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "framework": {.. "name": "Microsoft.NETCore.App",.. "version": "6.0.0".. },.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):53840
                                                                                                                  Entropy (8bit):6.300468155319662
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:4dUSqld/oh93y+UR4ULL4L88EKNoo9sXQqt9EpYinAMxCQr:4d2P/phL4L8KGo9sgqt27Hxb
                                                                                                                  MD5:355567F26142F9101526CB91F98FB03D
                                                                                                                  SHA1:B7D5B6C9D78A4C7F4775F79F68B640D2E90DF1E0
                                                                                                                  SHA-256:6D81FB3829261543D93FF02BF239BD25A39E41DCB645381F0A8C9D53E8694A68
                                                                                                                  SHA-512:C72ADB068410D53C085BC5DEA0CADB6D2C55603566923C12547CA2D897D1F238F706BD1F7A046E97A8A21C95DB4B97EE70A32BD559437508B65887686CDBE6A3
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#.(..........." ..0.................. ........... ..............................B.....`.................................X...O.......t...............P(..........P...T............................................ ............... ..H............text........ ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B........................H........I...t............................................................{....*..{....*..{....*r.(......}......}......}....*....0..Y........u........L.,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*.*....0..K....... M.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o ...X*..0...........r...p......%..{.......%q.........-.&.+.......o!....%..{.......%q.........-.&.+.......o!....%..{.......%q.........-.&.+.......o!....("...*..(#...*^.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):66640
                                                                                                                  Entropy (8bit):6.273913453163328
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:PO4QNCMhTIDWo+hDbEicjIeoCtU1a1ZTG/2u2Xv2vFbanu5fEpYinAMxCIiO:xQTIywi3eobgTG/2u2/wb0u5Y7HxwO
                                                                                                                  MD5:90916CE0E528B775C1179E96F86CA200
                                                                                                                  SHA1:6F64812C50EC9E6672CB088903F913168F35430A
                                                                                                                  SHA-256:BB828056E376EF41E40F212FB6AD2990227CBCF821D4835263180C4768795249
                                                                                                                  SHA-512:EB027447FB79E3E0A397EF173205596C8DFA936C9CB0F88B9A27ADFBB0F3E1B4E28F18FC907F3BFF2C4A39BB03B8131A5998E90F2BA60E4F522B7BF36D1C18BD
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|.t..........." ..0.................. ........... .......................@......)T....`.....................................O.......................P(... ..........T............................................ ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........_...............................................................(....*^.(.......J...%...}....*:.(......}....*:.(......}....*...0..T........(....(....,..(...+&.(...+&.(...+&(....,..(...+&.(...+&(....,..(...+&.(...+&.(...+&*.0...........(....&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&*".(...+&*".(...+&*".(...+&*.(....*.(....*..(....*j(.....%-.&~....(....o....*j(.....%-.&~....o ...(!...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):186448
                                                                                                                  Entropy (8bit):6.958336672022744
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:ChOh6zHpz7YSkfd6kUYm4wlb6QAGcbLQpgjOHopZb7UsUDfAbmn1F8mkmBC:ChJ177+9jQAVph4sUDfAbm1F8MC
                                                                                                                  MD5:6DDA20C58ED67382D0B5D7A17FAF6A4A
                                                                                                                  SHA1:5C39B32EDAA98E70BF01DACE2C59D6EC304F8DD1
                                                                                                                  SHA-256:43EFFADADAA2FD01EE7DB52BFEC67F9A1E9E2F8FC276B4EC244BB24B854315BB
                                                                                                                  SHA-512:8984AFB415FC19ABB4358455DE47FD4FB3EE75F005772AF4204508F1DB47B21E93EAAC7410FB5001BC59F922A5489599FAFCBF589B6DCBD891C9686C8BF46B71
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............:.... ........... ....................... .......:....`.....................................O.......$...............P(..............p............................................ ............... ..H............text...@.... ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B........................H.......0.................................................................(9...*^.(9..........%...}....*:.(9.....}....*:.(9.....}....*:.(9.....}....*....0..G.........(:...}q......}r......}s......}t......}p.....|q.....(...+..|q...(<...*..0..G.........(:...}x......}y......}z......}{......}w.....|x.....(...+..|x...(<...*..0..G.........(=...}c......}d......}e......}f......}b.....|c.....(...+..|c...(?...*..0..G.........(=...}k......}l......}m......}n......}j.....|k.....(...+..|k..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):29264
                                                                                                                  Entropy (8bit):6.524120604887875
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:9+q+2Vv/+usFlLVyKo/9ETG/DwzzRjz69M1ZVMdWs6NWsaaNyb8E9VF6IYinAM+R:9+EF/CvyKohrqnDEpYinAMxCtz
                                                                                                                  MD5:8A86E5FF5D774C00992E276CFACECF80
                                                                                                                  SHA1:F19FD07AE29B32579E75A0E4E738EF878835A037
                                                                                                                  SHA-256:BB6667D93A1258A76DF2C007083A1E7CC000BB5BEA3195544EAC733C6259A540
                                                                                                                  SHA-512:B35960BB4908F05602D375AD24316E293B05FEC90A6E366D32F3CA7CA37BDBE0158F572EAA7BB8C6C387691DAA2AE213258603E4658BA99767FDC0D9BE4E5972
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N............." ..0..>...........\... ...`....... ...............................d....`.................................{\..O....`...............J..P(..........d[..T............................................ ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............H..............@..B.................\......H........(...............W..X....Z........................................(&...*^.(&......8...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....**.-..(....*..s'...z.~....*...0..........(....,..*..(.....o(......&...*...................0...........(.......()...-..,..*.*.(....,.r...p......%...%...(*...*..(+...*.(....,.r...p......%...%...%...(*...*...(,...*.(....,!r...p......%...%...%...%...(*...*....(-...*..,&(....,..r...pr...p.(*...(....*..(/...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):42576
                                                                                                                  Entropy (8bit):6.408969180714612
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:uThLeDjUB16TI1CQ12cMcFgL/l5d4EpYinAMxCB:uTvB71dEcME45dB7Hxy
                                                                                                                  MD5:071B50004B2ABE329A964ECD09A7E896
                                                                                                                  SHA1:08D2A3056856235113C43CA3FA27D47C759F7EB6
                                                                                                                  SHA-256:E8C446C1ACC2E0BC2DC9A80E286456B9A84B5DB5B1D4101C612BBFBD331EE0A9
                                                                                                                  SHA-512:6608AA59D25BB19F7B34717083C8BD60CFAFD299D982445BC491C12E265C9BDFE92A23CCE45074583184C6F2A128CD2646EF05DF59FC82C7B5CF4D8F3046E19E
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f............" ..0..t.............. ........... ....................................`.....................................O....................~..P(..........|...T............................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B........................H.......4:...L.............8.............................................(....*^.(.......A...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...( ...*..(!...*.(....,.r...p......%...%...%...( ...*...("...*.(....,!r...p......%...%...%...%...( ...*....(#...*..,&(....,..r...pr...p.( ...($...*..(%...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):25168
                                                                                                                  Entropy (8bit):6.670940956884048
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:wYEMITBweJkneGO3WKGW9anWsVNyb8E9VF6IYinAM+oCOScXu:2TBwa7dEtxEpYinAMxC+u
                                                                                                                  MD5:D950E5EC874F7C62306B93500FD36BBA
                                                                                                                  SHA1:530F5F348CE9B50C396629A16F6F815F2495722F
                                                                                                                  SHA-256:416CCF9CDAB49BB9DC2B4259E0D5B4434540AC82C1BC166F85D3CBD9F8942D4D
                                                                                                                  SHA-512:B374D9A55A99603CD623D0876CEB8235FC235A09C8DA9BD0FEF9AFB2EA11574811E9073AFAF6DB56697AA3E75546BC61F029384404544D0299046EF239406E96
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1............" ..0..0...........O... ...`....... ....................................`..................................O..O....`...............:..P(..........xN..T............................................ ............... ..H............text..../... ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............8..............@..B.................O......H.......d&...#..........hI.......M........................................(....*^.(.......-...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....( ...*..,&(....,..r...pr...p.(....(!...*..("...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):21584
                                                                                                                  Entropy (8bit):6.717352450932083
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:N6jxRm3soGTeZeszQm31WUKeWsJNyb8E9VF6IYinAM+oCen75ikD:Mj23spTeZposNEpYinAMxC7kD
                                                                                                                  MD5:C2177320BC76C026D8C554D8CFEC1F2F
                                                                                                                  SHA1:A208DC6AE7A5FE8FBAF5F5FDAC980B0360A667EC
                                                                                                                  SHA-256:F971952E34D3BFA8263D8B5FD7F4F251B9D8C969E3EC2325AF0A3BFFD43DC946
                                                                                                                  SHA-512:39A7258DF35A89A6A9B68220CA0AD159839739F8EC6DF987EE7C53CEBC2B55C44A3FD81718F620B45B14EB6AF2075A1AD5DDFA895CF34B71A0947B1BEF7CE389
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s............" ..0.."..........NA... ...`....... ............................... ....`..................................@..O....`...............,..P(...........?..T............................................ ............... ..H............text...T!... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................/A......H.......x#......................T?........................................(....*^.(.......$...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.s....o....&.*V.s....%.o....o....&.*"..(...+*v.(.....~....}.....~....}....*..(......%-.&~....}......{....(....}....*2.(....(....*..(....o....r...p.{....r...p(....*..0..........(....s......o.....8.....o .......(!...t&.....o .

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):28240
                                                                                                                  Entropy (8bit):6.602224449204335
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:pzp434gr92+liFe/5XjtCZ0UaFoSc43IXABPpBzWq66WstNyb8E9VF6IYinAM+ox:5xk1/9jtGhScRwPpByoJEpYinAMxC8LX
                                                                                                                  MD5:A9BB401E3DE7FB6FC038DC6BDC27591B
                                                                                                                  SHA1:CB1CC3D6E4A603C1B25350D5E5581193A80D3D9C
                                                                                                                  SHA-256:1B15C473C30E52A08ABDA9FFF9099E5A51EB8DB5733A7EFA29FCCEA2C17BDB6A
                                                                                                                  SHA-512:EB5C0910134420FB6717039FD95CC819C24FA0F3288A83DD43363CFD902D3FD39686B3E0D74D29B0604DD771D7215DFF2EE39713D49A760E2113B86CF98BBAAC
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."..........." ..0..<...........[... ...`....... ....................................`..................................[..O....`...............F..P(..........tZ..T............................................ ............... ..H............text....;... ...<.................. ..`.rsrc........`.......>..............@..@.reloc...............D..............@..B.................[......H........(...,...........U..8....Y........................................(....*^.(.......3...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...( ...*.(....,!r...p......%...%...%...%...(....*....(!...*..,&(....,..r...pr...p.(....("...*..(#...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):27728
                                                                                                                  Entropy (8bit):6.567134242779113
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:SXLAulT7JkcAoWovkT7jF6zOFz3Ge1l68mWka2WsCNyb8E9VF6IYinAM+oCltvGw:mLAux7yUcT7jF6aYhSkCEpYinAMxCv
                                                                                                                  MD5:97C4011B8FC681C68FC0D9A0AFE05134
                                                                                                                  SHA1:E3C5A7264874ADAF421303D679637C35DC3A1EBB
                                                                                                                  SHA-256:B9FA3DFD672088A280B1B6AFB38E9539B195B85D8351F6753D064D10F23A8617
                                                                                                                  SHA-512:70CA32792A0FB2325BC511FA1A298D1D03AA7D8E72B6F1F05443C0FE2D8B01521A745F4F1C8D7CE1FC27E6AEE112E8C499B2FF79C885BADC774EDD942C732906
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..:...........X... ...`....... ....................................`.................................SX..O....`..l............D..P(..........LW..T............................................ ............... ..H............text....8... ...:.................. ..`.rsrc...l....`.......<..............@..@.reloc...............B..............@..B.................X......H........(...)...........Q.......V........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*..............!....0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):26192
                                                                                                                  Entropy (8bit):6.549189808431148
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:pMvnbB39p5YGTv9uuM1iFSF3yE1LlW9KCWs7Nyb8E9VF6IYinAM+oCUYO39:pKnbPplTv9uuLuVwXEpYinAMxCq39
                                                                                                                  MD5:7D44B25B42F8273E1B95DB0D73671E84
                                                                                                                  SHA1:265714D11A304A27443F9DBAFB33A2987C5AF845
                                                                                                                  SHA-256:823154871F155DDCCB8DBE9DCC3078263A6C296D32524564E90B106930992987
                                                                                                                  SHA-512:563E7DB622C13C19BA81E5C123C812A8FBEB4D50C6BB2A1686C728180A26CC246D369B1BB5B8536D28A2105CA9D8DA7C8108AE3EBE302CC180EF29BFA5C8B3A2
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,.<..........." ..0..4..........bR... ...`....... ..............................~.....`..................................R..O....`...............>..P(...........P..T............................................ ............... ..H............text...h2... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B................AR......H........&..$$..........(J..P...xP........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....( ...*..,&(....,..r...pr...p.(....(!...*..("...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):41040
                                                                                                                  Entropy (8bit):6.41098819814607
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:e054t3ibki5TCk3jqEr0WBum6JEpYinAMxCmd:ePtnUj/Lkmp7HxZd
                                                                                                                  MD5:CA14EEE1F7605296B50D9471B3846A1A
                                                                                                                  SHA1:E26129A1044FA6A4A85A8890D3569C3900E338D2
                                                                                                                  SHA-256:F7CAB383114EDE19662B14EFADEAD8E76FE59954DE5464BA64E270587D738206
                                                                                                                  SHA-512:8EF77602DD6D4F86E3607A287F8E07567B216D73FA442FD7B9165B1087D2712817FAB690107EC23929EB519560CFAC897FE6C794B941A6E69CEE6D3CF661DE63
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...mq..........." ..0..n............... ........... ...............................B....`.................................a...O....................x..P(..........d...T............................................ ............... ..H............text....l... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B........................H.......p8...M...........................................................(#...*^.(#......A...%...}....*:.(#.....}....*:.(#.....}....*:.(#.....}....*:.(#.....}....**.-..(....*..s$...z.~....*...0..........(....,..*..(.....o%......&...*...................0...........(.......(&...-..,..*.*.(....,.r...p......%...%...('...*..((...*.(....,.r...p......%...%...%...('...*...()...*.(....,!r...p......%...%...%...%...('...*....(*...*..,&(....,..r...pr...p.('...(+...*..(,...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):45136
                                                                                                                  Entropy (8bit):6.259777287029036
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:Kq+RszBJV7CkN9YxrIvw2DLBjYAQP0+lyJ9PPAEpYinAMxCsi+x:Kq+SSkNNjdQc+cJNh7HxJiy
                                                                                                                  MD5:0E56D17A0B873639366047CE26A5E063
                                                                                                                  SHA1:491A1C758D27BBA08ACF9CFC87468988545835F0
                                                                                                                  SHA-256:559CDE153D2C725745796BE20B7FE5C197DBAFBFBC3A2D4C44CC025DD75AF8ED
                                                                                                                  SHA-512:A026E4CA433846D0DC3FB53826770DB45C8D765B1705D6C0DF45991440809AF2134F8608E2E0DCABBBD539049E72DA701F2951337B6CFB3ADDE43A72A739A578
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r=..........." ..0..|............... ........... ....................................`....................................O.......................P(..............T............................................ ............... ..H............text....{... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......<=...U..........P....... .........................................(!...*^.(!......E...%...}....*:.(!.....}....*:.(!.....}....*:.(!.....}....*:.(!.....}....**.-..(....*..s"...z.~....*...0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):85072
                                                                                                                  Entropy (8bit):6.2673588925221
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:nNNgvCsvGPrpqSMo4Z9M4IIWSYe2Kbj5u6fjQ+7PMMcmnJz7Hxfp:nMCsvGPPed5ZfjQ+rBvJzFp
                                                                                                                  MD5:68E188489CD2966EF4B9E8864B5236ED
                                                                                                                  SHA1:23A5FEA5C4787804CF140741AA35F7CC55229977
                                                                                                                  SHA-256:97BA41B72AE55EA3FC47A6D48769638F608F8AD498A0A81E4780C42C45F34BC5
                                                                                                                  SHA-512:C14EACFA5ACCAFE998FD55868A91FAFDB3A23031A6DBECCCD76ADAE1E4F43C414C6C3AEBA4D4F4FEF04E0FCA8CB6B7F08017937E353522775924F1992377235A
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.)..........." ..0.............28... ...@....... ....................................`..................................7..O....@...............$..P(...`.......6..T............................................ ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................8......H.......lj..............$%..0...T6........................................(&...*^.(&......s...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*.~....*..0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):23632
                                                                                                                  Entropy (8bit):6.618432341469682
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:OVAko1Z0S/oj6ETt9EQMVSz3PMA2oWs6hWso4Nyb8E9VF6IYinAM+oCqJ2qui:O3m0SM3Tt90Pl7fEpYinAMxCa3x
                                                                                                                  MD5:AC95850E08238CF3A6FFC51D47BCC1DB
                                                                                                                  SHA1:06CC0E13887DC0030A0DFFE067E01BE77D75CF4B
                                                                                                                  SHA-256:B788F714E91102C2D34FF5E20A07F7408E9EF74343871942E5889612EBBE70A5
                                                                                                                  SHA-512:58B35DA53926365A3502BCDE514E34C3159EC5DF7672527C884FF5057FF1089F0124EE79F66EA79E6004DF4CD14805C4495C43AC0C38AA07851303F3FAFADF15
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............" ..0..(...........G... ...`....... ....................................`..................................G..O....`...............4..P(...........F..T............................................ ............... ..H............text....'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............2..............@..B.................G......H........$...............B..@....F........................................(....*^.(.......(...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):45136
                                                                                                                  Entropy (8bit):6.430057016218873
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:FxddbVKFC/2DfTMFeuzpdUTVoIEu3GzN/EpYinAMxCMe:FNxxAYFeMpdURZEu3S+7HxZe
                                                                                                                  MD5:123D79B76609A0E1B4E7977FF4283822
                                                                                                                  SHA1:E4F25CDDCF76FFB2569D22D2090D32B33A98512B
                                                                                                                  SHA-256:871B2C2230BF4079699D34AFD6A262B7FF362431D7B2A0F4C3539A6F7D1C267C
                                                                                                                  SHA-512:C4EF8889F3DED86FBDE77EFB0A017B14F6888984F0F9A7B12FCC6CD782816B78878B0F853EF2BCF0A18F6C7966D8E495B62CF11B8EBDDBA94440FFA2F2A51AF6
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s..........." ..0..~..........&.... ........... ..............................k.....`....................................O.......p...............P(.............T............................................ ............... ..H............text...,|... ...~.................. ..`.rsrc...p...........................@..@.reloc..............................@..B........................H........;..(Y..................D.........................................("...*^.("......V...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*:.(".....}....**.-..(....*..s#...z.~....*...0..........(....,..*..(.....o$......&...*.............. ....0...........(.......(%...-..,..*.*.(....,.r...p......%...%...(&...*..('...*.(....,.r...p......%...%...%...(&...*...((...*.(....,!r...p......%...%...%...%...(&...*....()...*..,&(....,..r...pr...p.(&...(*...*..(+...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):47184
                                                                                                                  Entropy (8bit):6.373451878905772
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:ekfEnkM0vRbJ05axPAONhO+JZIkp5ygv/MFKEpYinAMxCz:LEkMoRxtzIk3ygv/Mp7Hxw
                                                                                                                  MD5:83CBC69E9A528F906F2EB5B9528FA378
                                                                                                                  SHA1:0638CA4EB918BD9A7D68C5731D831B57E5D48019
                                                                                                                  SHA-256:5F7223586AE47F001319524B3A9BC4B635A0D44870733D46FF1BFF780485C4C2
                                                                                                                  SHA-512:DD817FBDA24F1DC42C83C44D8A301123D5751895F5C542FDF3CF82CA1459B7728D897C3B3C5F1E1915282B7B4968F93ECB6D0DB4ECF80E79093C4F2B47B9420B
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....*..........." ..0.................. ........... ...............................y....`.................................k...O.......H...............P(..........d...T............................................ ............... ..H............text....... ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........D...X..............H............................................($...*^.($......@...%...}....*:.($.....}....*:.($.....}....*:.($.....}....*:.($.....}....**.-..(....*..s%...z.~....*...0..........(....,..*..(.....o&......&...*...................0...........(.......('...-..,..*.*.(....,.r...p......%...%...((...*..()...*.(....,.r...p......%...%...%...((...*...(*...*.(....,!r...p......%...%...%...%...((...*....(+...*..,&(....,..r...pr...p.((...(,...*..(-...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):33872
                                                                                                                  Entropy (8bit):6.465515280994496
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:Tup+kjcS4GAF7ItpTYbg8lAZnsboXAEpYinAMxCnpD:Ti+YoF7Itmbg82sboZ7HxS
                                                                                                                  MD5:B4B6928B6ABD9BA62549019FC1B6FF19
                                                                                                                  SHA1:AFD5DEB02D315D70867335839BA2208DCDD94D88
                                                                                                                  SHA-256:03BCCF47620E2795ACDF4519C3E21E2C9009908A7B4CF39312DF8560CD3B4815
                                                                                                                  SHA-512:219472590F21237FBBC3F6F31D4C1320E356C5C13DA41AB0B538A2E9F0788B59E4E847E52177719F90B90BCDF496E21CA5A894E019C5BFF923AEFD1774E07ADF
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Kq..........." ..0..R...........p... ........... ..............................r.....`.................................;p..O.......8............\..P(..........0o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...8............T..............@..@.reloc...............Z..............@..B................op......H.......</..,<..........hk..H....n........................................(....*^.(.......I...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):66640
                                                                                                                  Entropy (8bit):6.302989427949227
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:syK1UG8tMAv0by0P/vGCnbr1hmiBPIIk+n7Hxu:sykl8tla/nbr1kiBx3nI
                                                                                                                  MD5:3FCB549ECB9D84B10FEF1727AB043DF0
                                                                                                                  SHA1:BDA06DB4121EC85DDF7F2259D92CFB90C0C18734
                                                                                                                  SHA-256:AA96A108023C9FE0A430AAE727F8C8D296B72D781A49E14C73BF5FF33EC792D0
                                                                                                                  SHA-512:5BBC0A63ACC4D4E3264234D472DD6EE5ABCFB762240B2B868DC344530AA520979C06B02A1BAAF43CD3B293EF3D1F8FDE7341E0413A4A9436473DBE3BF3E4A462
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*t............" ..0.................. ........... .......................@......3.....`.................................i...O.......................P(... ......x...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........R..l...........X.................................................(!...*^.(!......p...%...}....*:.(!.....}....*:.(!.....}....*:.(!.....}....*:.(!.....}....**.-..(....*..s"...z.~....*...0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):69712
                                                                                                                  Entropy (8bit):6.226077670195515
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:VsDE/e+9cxoZhNyjcMiJSAopUx+ZA7Hx0:GDE2HozNyjcf4o2Am
                                                                                                                  MD5:3CE2B431D7D349BABEE6937AD0851309
                                                                                                                  SHA1:55FF7B9337EAE6B278756C8FCB8C021E04A1AEFD
                                                                                                                  SHA-256:10E29D6B33B40B7D82298E40A19AC06362B1A51BA5C94C3A7359F5462EB22697
                                                                                                                  SHA-512:07857ACE3128BFB698EF44524451F6E07596EF48F39F8806428473CABC0C71C2348601519BCC6A58237C919F0E1212021525544C8F8A15CCAAC4912ECEFCDF70
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p............" ..0.................. ........... .......................@............`.................................S...O....... ...............P(... ......`...T............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........T..............`.................................................(....*..(....*^.(.......\...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...( ...*..(!...*.(....,.r...p......%...%...%...( ...*...("...*.(....,!r...p......%...%...%...%...( ...*....(#...*..,&(....,..r...pr...p.( ...($...*..(%...*.*.(....,.r...p......%...%...( ...*...(&.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):64080
                                                                                                                  Entropy (8bit):6.289710606184699
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:M5PhAi33m3UOZsd4IZnuQDLtfjfC67Hxx:gPhAi33mhZiHlvtbfC6P
                                                                                                                  MD5:31CD265714D3C3120210364A14DD572D
                                                                                                                  SHA1:C5F8727A6E42429D2CF37B59B8A523844964C623
                                                                                                                  SHA-256:8FD8996D02C0A89E548069CF924B4E94250C5B4D11261E6D327657F9717E33B6
                                                                                                                  SHA-512:9B238628C89D4F72638DDDEF2FBB1155DA7917A56BBF749B96855822802ABAA4B76FE003721E17560E802A1B3478A49A3DE7C02F6F45B8DA54028203DB97D511
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S............." ..0.................. ........... .......................@............`.....................................O.......................P(... ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......PO..............X.................................................()...*^.()......N...%...}....*:.().....}....*:.().....}....*:.().....}....*:.().....}....**.-..(....*..s*...z.~....*...0..........(....,..*..(.....o+......&...*..............!....0...........(.......(,...-..,..*.*.(....,.r...p......%...%...(-...*..(....*.(....,.r...p......%...%...%...(-...*...(/...*.(....,!r...p......%...%...%...%...(-...*....(0...*..,&(....,..r...pr...p.(-...(1...*..(2...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):28240
                                                                                                                  Entropy (8bit):6.542681843112789
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:31YBj07ZyQvkBd9aocTPMuiEjYpR6K698kwgcWWxseU7RWsjNyb8E9VF6IYinAMh:l4jUv6iT9jsi8HyeU7L/EpYinAMxClNQ
                                                                                                                  MD5:5D53FBFB6C56DAB2AFC15E814956483B
                                                                                                                  SHA1:927D7F1B9D0493FAE2C900B73734E5A323ADDED6
                                                                                                                  SHA-256:23EE1A91AED2309099858E2E11EC499AD3AD4532E70E0B095DF2CFA118BAA85C
                                                                                                                  SHA-512:0B775138E8653240D7DD888F6CBE4EFAA9BD7762887D3C9D64F4FC180F41703D8286DEE63B2D09314E8CB98B319C5FB2C9DD1739CE3F207AFA1AD9C3331F29F6
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Oe..........." ..0..<...........Z... ...`....... ....................................`.................................1Z..O....`..L............F..P(..........$Y..T............................................ ............... ..H............text....:... ...<.................. ..`.rsrc...L....`.......>..............@..@.reloc...............D..............@..B................eZ......H........&..d...........\U..H....X........................................(....*^.(.......7...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):59472
                                                                                                                  Entropy (8bit):6.334054400696551
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:t7WAluzJ+Je2PS7kJFT+OUjz+Tf26auuPF1/krd6zkwQRIOIzb7EFEpYinAMxC6z:xJ4V26g1YuuP/2IOe/7Hxp
                                                                                                                  MD5:5C0ECE8A6364AD65C5D01B762D721F40
                                                                                                                  SHA1:2CEF9284C94A608269D581A4588E81E485378F3E
                                                                                                                  SHA-256:A5B60A7BAAA84EA94FEF8704737B6845823A2C1DA0B9F95240CFC61C341FA2FB
                                                                                                                  SHA-512:E327BF974B9E909C147E67643A7A972F11C2BC3466B622A2286C3E9C0AF003E333A392090314D850DFFB60CE35B05441C8373D9EADEAB4EFFADC9032F2B98566
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............." ..0.............:.... ........... ....................... ......#X....`.....................................O.......L...............P(..............T............................................ ............... ..H............text...@.... ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........H..t...........l.......d.........................................()...*^.()......a...%...}....*:.().....}....*:.().....}....*:.().....}....*:.().....}....**.-..(....*..s*...z..0..l.........~..........(+...*(,........,.r...p(-.......+.r...p(-.....,..ry..p(....-..r}..p.o/...+..+....(0...........*.0..%.........~.......3.(....-..+..%............*F................*..0..<.......r...p..(1...,..*r...p(-.....,..ry..p(....-..r}..p.o/...*.*.*.~....*..0..........(....,..*..(....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):21072
                                                                                                                  Entropy (8bit):6.659500044238884
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:UzhlvlfTcbY3SCkWJOVMWs4Nyb8E9VF6IYinAM+oC2aJ8f09:KrfTcbY+uwEpYinAMxCTY2
                                                                                                                  MD5:DE75610B9B79DB4EE9FF93D756E16D4D
                                                                                                                  SHA1:2B3BBC1AF7191893FC42A450280ECAD9A5C68FE4
                                                                                                                  SHA-256:4C036AF950DA497F34F9E325F84A5502DE8AB373559FEE971DACA0AA6C791248
                                                                                                                  SHA-512:B9CBE72BCA53564FF77C8B02598190966290DF010902114CB7FF91E6831F87B8833984AA2F2E42F9870A28919A32C9C4B4A7A14901E36272F4EA1029C9C06A65
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.}..........." ..0..............=... ...@....... ..............................[U....`.................................-=..O....@..(............*..P(...`......0<..T............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@....... ..............@..@.reloc.......`.......(..............@..B................a=......H.......H"..h....................;........................................(....*^.(.......)...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*J.o....(...+(.....*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*:.(......}....*.(....*F(....,........*.*...0............(....-.*..r...p(.........o .....(!...,.*....("......(...+..r...p($

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):26192
                                                                                                                  Entropy (8bit):6.6410774484512896
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:T3WWQsE/8iqjnqHTnBdOHFgYVwOU3NW2qFWs/GNyb8E9VF6IYinAM+oCUo0eD05:T3hQsE/8irTnfYFr//OEpYinAMxC1ny
                                                                                                                  MD5:F07B5825DE2EFB3133BBF61FA2A4CB76
                                                                                                                  SHA1:B6CC2BE8845C0774E932B2DB1FBCAF788BFBEA9C
                                                                                                                  SHA-256:A4EEE595F17C9F26EB0DC6694580DD5873938DEF495C524EFFB0D82BC3F4262B
                                                                                                                  SHA-512:F24E824FE41280C9BC170D9DD1016EFC236650E7762EB115DE02B9593BDBD1649FDE1FCF9B7D387C533AA6BF9651B5AF701ABDD10D2D4B1BB072EBAB1B594DF4
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Su..........." ..0..4...........S... ...`....... ...................................`..................................S..O....`..`............>..P(...........R..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc...`....`.......6..............@..@.reloc...............<..............@..B.................S......H........'..T*.................. R........................................(....*^.(.......5...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*v.r...p(.....o....(...+(.....*..r...p(.....r...p(.....o.....s'...(...+(.....*..r#..p(.....(....&.o.....(...+&.*..("...*.~....*.*.(....*.s.........*.~....*..("...*.*.s.........*...0..x........("....r7..p(...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):35408
                                                                                                                  Entropy (8bit):6.577511960397023
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:6oi0m9/A58Ph+mJ5fvIK0ixTryfCWo/zKeGmquanccOB30RtWW3aUWspNyb8E9V3:KDhbJ5nR02TQCWoJ92tEpYinAMxCtm
                                                                                                                  MD5:6628C561065DF3B10639846B7F7DC3C3
                                                                                                                  SHA1:ACBE77E78C99E86866870874A2311DCF4902BAA5
                                                                                                                  SHA-256:9996C340E4E83C44110028CB28F20E9B24EB126742409FA718F90EA2A16379B2
                                                                                                                  SHA-512:DB9BC520D226A1E702DAFB2F2F6E0064984854844AE214F52BAB27E9A8B39F9A5AAFF9BE87BE79FA4C5E4B9D134098AE0B72C424D09E057D1B02A75E79C9F810
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u............." ..0..X..........nw... ........... ....................................`..................................w..O....................b..P(...........v..T............................................ ............... ..H............text...tW... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B................Mw......H.......X0..8E...................u........................................("...*^.("......J...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*:.(".....}....**.-..(....*..s#...z:.(".....}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.($.....}....*....0..+........{....oG......+......o%....o&.....X....i2.*:.($.....}....*2.{....oB...*..{....*..0..M........r...p(.....o'...~"...(...+.o'...(...+(*....o'...(...+(*....o'...(...+(*....*..($...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):48208
                                                                                                                  Entropy (8bit):6.412254540457386
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:q7d427HfKy1DQ+SKKKKzqPo6Zkn2qZKqLzZdd0UFxlEpYinAMxCp7VCb:q7d42LfKy3SKKKKr8keqBdd0UFE7Hx0a
                                                                                                                  MD5:02D75B740B732B9D45BE1C9DEEE82D52
                                                                                                                  SHA1:145DE3697B7BCCF7F39EF5C1B813F9A213664017
                                                                                                                  SHA-256:D56BEB31BC6BCF54AE02721D3CE2B6F42D7783483B67DB2B11E5C56E8A29EC38
                                                                                                                  SHA-512:0E6041D18D62FFBBE4B9906931322F5B3856C462A330922C6264CE99E983811CF139AA52A9C10618AE8035B85B929CBAA3F0DF6FF12D29B9E269E9945C1EB232
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H..........." ..0.............Z.... ........... ....................................`.....................................O.......(...............P(..............T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B................9.......H.......\?...d...........................................................('...*^.('......W...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*:.('.....}....**.-..(....*..s(...z.~....*...0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):24144
                                                                                                                  Entropy (8bit):6.63064410442664
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:by1x30dJaeTP8pBT7xe3SUDtzWzK0WswNyb8E9VF6IYinAM+oC61mx4iw:bq/eTeABdWIEpYinAMxCa24x
                                                                                                                  MD5:D73F1C9FDCAA14AA98AD1D62EB4F61E8
                                                                                                                  SHA1:25180ED081DBAB955DB2E321A42820313FCAC737
                                                                                                                  SHA-256:5AB6AF65EAAA7BD38B13C2E0A184D241530FD113B6DB218AD6D138A1DCA327E2
                                                                                                                  SHA-512:35E80F9F724BE46786ABDCC77BA6C4E1065A41F4213ED1B8D25B37C6CF61B7706A5F9AA87A1C5A74C96BC3D2454968541C424D6D1D4B15A64867191A190CFFB4
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D3..........." ..0..,..........FK... ...`....... ..............................I(....`..................................J..O....`...............6..P(...........I..T............................................ ............... ..H............text...L+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................%K......H.......0$.. %..................PI........................................(....*^.(.......*...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.(......}....*..{....*..{....*"..}....*...~....%-.&~..........s....%.....(...+*..r...p(.....o.....o......(...+&.*.0..P.......s ......}!.....}"....r...p(.....{!...r...p(........#...s$...o...+&.o....(...+&.*

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):61520
                                                                                                                  Entropy (8bit):6.349315131405323
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:1g+uGuV+1mb5JtoNIHQs1YyH67beAn9eLfLaV7CvS4vEpYinAMxCkMq:1g+uGuV+1mbaqvy9OfLKMS4I7Hx8q
                                                                                                                  MD5:64A1C30750E208D114638514140D2FD8
                                                                                                                  SHA1:98F1BFAE55DE97059C7BC6A53FC6F8254C6A9EB7
                                                                                                                  SHA-256:E329AF9E6DA9753A31B9908BD6F4655C646C20C088589AF9477515D37F73190B
                                                                                                                  SHA-512:450FEF2F9C1712CAF22502C9906582EC6DB6D8F6675CFDC78D96BAFF5154675CF52B4A278306FCAD4A231C7E266B8F7690A6FBE23A8DD9455AE0B8FCEDC5505B
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....%..........." ..0.................. ........... ....................... ............`.....................................O.......H...............P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........F.....................0.........................................('...*^.('......G...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*:.('.....}....**.-..(....*..s(...z.~....*...0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):42576
                                                                                                                  Entropy (8bit):6.373492302570736
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:TKsIwjxNp8hpwVeEfHuX1QUIh3kOP7oIyWb3jec/uiCR9Crw/EpYinAMxC2xD:bd8hMfHuXbIkOP7ym3jZ/uiCRgrd7HxF
                                                                                                                  MD5:25CEB30BC69DC05B69F45F672AC1C1A4
                                                                                                                  SHA1:63A1CC9B52CD8995EA1C17794D2F75E6F5E0B6E9
                                                                                                                  SHA-256:EA390CC64028A77BA72653504499E9C0B131770DABD23D9E4AC099677B35315F
                                                                                                                  SHA-512:0D6780C9B883D555BBDC25E08FAE14EBA3583484B1BBD366188CD9350EECD81B4A3433054872F81EC6B361EA794BC2A217F1A92D4ADE9A83182F7F2B4B9DEF9A
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.:..........." ..0..r............... ........... ....................................`................................./...O.......l............~..P(..........8...T............................................ ............... ..H............text....q... ...r.................. ..`.rsrc...l............t..............@..@.reloc...............|..............@..B................c.......H........:...O............................................................(-...*^.(-......G...%...}....*:.(-.....}....*:.(-.....}....*:.(-.....}....*:.(-.....}....*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(/...-..,..*.*.(....,.r...p......%...%...(0...*..(1...*.(....,.r...p......%...%...%...(0...*...(2...*.(....,!r...p......%...%...%...%...(0...*....(3...*..,&(....,..r...pr...p.(0...(4...*..(5...*.*.(....,.r...p......%...%...(0..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):345168
                                                                                                                  Entropy (8bit):6.142154867122924
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:1pc1zjTFIfqAnI7FZVllnuJxKrSj8r2yQQLeBLPHGUdlWOAlMoBJR1TaKwQz8weI:MpTCqAn+fnw5h9hdls+IZTWcd
                                                                                                                  MD5:E20A8D1854150A56856901090B816B6C
                                                                                                                  SHA1:1F2C25FD9435D137ECEB81B2A74FEE6CBCEAD01A
                                                                                                                  SHA-256:6D3F41537D09414352E42874430E3D44A8508F6FE843E52F124DBC279E76ECDD
                                                                                                                  SHA-512:747A5B2C315E26558F99436B463DD766AD0E99F527A7836055CF5898FD7BE649ED8AC5613148D80F39AF068C2F556463CAE9A242939948F110A8A517E705B3A7
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z............." ..0..............0... ...@....... ....................................`.................................S0..O....@..................P(...`......D/..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H...........xZ..........|...H.............................................{....*..{....*V.(......}......}....*...0..A........u2.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q5....5...-.&.+...5...o.....%..{.......%q6....6...-.&.+...6...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u7.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710736
                                                                                                                  Entropy (8bit):5.954282787995899
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:/FIM0KteTMN4Or4D3OdmZg5WHEaEDIGBBjgrIQtD+tVqDMQ:9zMTMNNd+g5Wk78GBBjgrIQtDX
                                                                                                                  MD5:35FF6C65698485C13B0796ACA1E1E860
                                                                                                                  SHA1:64C4DBCBFB0C81F34E3E8C5552A9B6626C740F50
                                                                                                                  SHA-256:683039C3676D8437E99C0A98FB8D4C4D2D47258DAECD897F1532640B2FA82407
                                                                                                                  SHA-512:E21CFF5489A6D141CE72D4639F5BCB23F18155EBD64347BD179146D53D4E99285D39E3A1B9483C697D73925B76E56E2AEAE5F63D3BB5C8E9C5B65BCC826F78BB
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)..........." ..0.............>.... ........... ....................... ............`.....................................O.......................P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............9............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*.(.........*....}.....(......{.....X.....}....*....0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..o....aX...X...o....2.....cY.....cY....cY..{......{...._..+&.{|..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):285776
                                                                                                                  Entropy (8bit):6.198879246365342
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:QMiAQB4wmESyxV8pj06e4isQ8gsHsjb/W1DBZ7DhsNcyZ:QMZpj06vUsMjbQ77D+B
                                                                                                                  MD5:40F70FD9AA352F6954C048396533A13F
                                                                                                                  SHA1:B5CACB14C795B8F03CA62A2FABA9032FAA5C5A62
                                                                                                                  SHA-256:135C5B3FC4A3307FB373D466D8E0993F5899AD725AA3A04433D4CB22E205A1D0
                                                                                                                  SHA-512:6AD391AD6603C4CA8A168B31968FD9DCC467D23E38A93FD616F5DF38F00A0B4152E6AA9166C37D63D96C32FEAE01DC15709F7E7F2BE37CEE3CA18F063B69EE02
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................T....`..................................H..O....`..L............4..P(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Xd......................TG......................................^.{....,.(G...z..}.....*^.{....,.(G...z..}.....*"..(L...*"..(M...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):38992
                                                                                                                  Entropy (8bit):6.2961633461406645
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:vdfuvOXFXW/8O6bXD+eeIgLPRsnHnyhQupytM9z7O3zfXYvj8rbPH5nTLhCPsIlc:vxuJRRsnHnyhQupytM9z7O3zfXYvj8rb
                                                                                                                  MD5:318DB17FA7B98E18B6C3A6A139341D51
                                                                                                                  SHA1:CF98D3D9E98D198D8E30D221EF9ADA5441A88B5E
                                                                                                                  SHA-256:4D3114B2CF333C56CFAB3CD9CA3C0C16571D337B7E5EBFE72BCDA5C6BCE49E6A
                                                                                                                  SHA-512:8CD7EE526136FDD48AA900193F2A3A9B0B371569D5ECD21ADF1E57A88DF275579C2C42FEC9B48549C505A605FED016696377FB5B80261EBF36706F818F9C0232
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..f..........Z.... ........... ....................................`.....................................O....................p..P(.............T............................................ ............... ..H............text...`e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B................;.......H.......tF...=..................t.......................................2.o....s9...*6..s4...o....*..0..>.......sg......}......}......}.....-.r...ps....z....h...s....o....&.*...0..C.......sk......}.....-.r...ps....z.{....-.r...ps....z....l...s......(....*..0..{.......sm......}......}!.....}"....-.r...ps....z.{!...-.r...ps....z.(....u....} .....{ ...,..{"......+..}........n...s....o....&.*..0..U.......st......}(....-.r1..ps....z....u...s....(...+&.~....%-.&~......f...s....%...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):27728
                                                                                                                  Entropy (8bit):6.552984475987511
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:iSgpZUlMxR5I1z8w3Uta2lQBVMxzMJktYm+9HWXCYBNyb8E9VF6IYinAM+oCKtKL:iSCZUl2O1zCnXyzD6EpYinAMxCk/kp
                                                                                                                  MD5:DB2C92A173A2A0373A1F8190E95FA17F
                                                                                                                  SHA1:FE61CB7B6B8E90E438F17A58775F3A70235744CA
                                                                                                                  SHA-256:DD3547F40D823D6B0462C9C11CFAEDF306E01782BF28AEA9B0C31DF6812D7E81
                                                                                                                  SHA-512:66BE8021026769C4509577F77650DD4D20C50EBDC6111342AB91A0C590118E5288B5524E6AF104B1505602231B3B14830E318563FA83F1F1D13C9F06CDEAE86D
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....m..........." ..0..:..........vX... ...`....... ..............................e&....`................................."X..O....`..h............D..P(...........W..T............................................ ............... ..H............text...|8... ...:.................. ..`.rsrc...h....`.......<..............@..@.reloc...............B..............@..B................VX......H.......H...H(...................V........................................(....*..(....*..-.r...ps....z.-.r...ps....z..s......o....*v.-.r1..ps....z...s....o.....*...0..V.......s.......}.....-.rA..ps....z.,..o......./...s....(...+&+...{.....s....(....&...(...+&.*...0...........-.rQ..ps....z.o.... ....1..{.....o....*.{.....o....t......,..*.{.....o......{..........(.....{....o.... ....3..{....o ....{......o!......,..(".....*.........U.4.........s#...}.....s$...}.....s%...}.....(

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):41552
                                                                                                                  Entropy (8bit):6.321380010408937
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:MUqoXsEgfFHoiikZ9y3BHdD+XR/tGo06BWEpYinAMxCD:jLrgfPw3mXREaX7Hxc
                                                                                                                  MD5:680AFEE0D0AE8CBE3C14E8B2E98331A0
                                                                                                                  SHA1:A4536CA35F55179DCFAF8507D8BED284F8A87285
                                                                                                                  SHA-256:9BECD7633640CCA28369CE850BE2F2EB7F3D41B32289D7E4D99FD53E014844F5
                                                                                                                  SHA-512:586B4D5AB7274E0BBD26CA7B6A08A39D83CCA6B134523342094F0159E42873AF987908DAF52B7947402288E7C399C78EB63658C3591C708A24B7270936B16F5C
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z..........." ..0..p............... ........... ..............................5|....`....................................O....................z..P(.............T............................................ ............... ..H............text...$n... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........<...O..................X.........................................(....*^.(.......D...%...}....*:.(......}....*:.(......}....*...0..,.............................................(....*.0..*...........................................(....*...0..(.........................................(....*.0..&.......................................(....*...0..S........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s ..............................(....*..0..V........-.r...ps....z.-.rM.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):138320
                                                                                                                  Entropy (8bit):6.160416546932122
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:cobKO7RaoWuUeZk/f0Sh1HlWZm1ZZTdyGFkNUMT+P65jDtYQn:JbKKz1UeZk/Phv8lDuPaf
                                                                                                                  MD5:347415351ACC3FA1BB4B12FE70D8DB3E
                                                                                                                  SHA1:CD659D48CA294880D2A950521869E3629B680873
                                                                                                                  SHA-256:72A60990CB728C500FEDB1A6BC89D8EDF4661C89FBE3B899A7D8B2674C59CA1C
                                                                                                                  SHA-512:CB8EE748F5604EB81299B48B8C0225B1C9FB557472112CB576304E6A52BDF4343BF28F1169E4B60C60357D26910004012D136997C165E226E1B5FECDC397F878
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........." ..0.............6.... ... ....... .......................`......j.....`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......h...0O............................................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. ... )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0..b........r...p......%..{)......%q.........-.&.+.......o2....%..{*......%q.........-.&.+.......o2....(3...*..{4...*..{5...*V.(+.....}4.....}5...*.0..;........u......,/(,....{4....{4...o-...,.(.....{5....{5...o/...*.*. .T.2 )UU.Z(,....{4...o0

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):150096
                                                                                                                  Entropy (8bit):6.238069789487319
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:c0B07tjJYVNSCn+tn3nUMI000000I+49U2BL1krvm:v07iSqSnkMDjyC
                                                                                                                  MD5:06740FA9E73A184DCEF81A0F9964BC0B
                                                                                                                  SHA1:E0D18EFACEE6AA0431EFBA2ABD4F0BB34E47BB41
                                                                                                                  SHA-256:91A4499366A332F2EA2EAAF8CCB1B67582553E8ADF067DE6D3FDC4D8B4389071
                                                                                                                  SHA-512:B021F4ACDF88EB321981278F8F38D385D200227C975C3A289B2D1BB2D948C5336B78196119B07CCE8C6312926F9F1DE07CB5D0A8D4ADF979C664C8B8A25CB805
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#9..........."!..0..............4... ........@.. ...................................`..................................4..W....@..............."..P(...`.......3..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................4......H...........lV............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*..0..&.........+....(....G...Z.(......X....(....2.*...0..L.........(..........(.....Z.(......(.....s....~....%-.&~..........s....%.....(...+*...0Y..5...0Y*..aY.5...aY..X* ....*V..0Y..6...aY......*.*.s.........*..(....*....0..&...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):52816
                                                                                                                  Entropy (8bit):6.18197692498772
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:NtgEqel7clEfRWOuDXaVIWb0TadZjirgFDrGfmAXOaYbMlfEpYinAMxCr:NiprEfsOuD0hhji6DrLbAY7Hxk
                                                                                                                  MD5:161E234AD2B220206DB6341B670DBD06
                                                                                                                  SHA1:B5EAA6BE5BE77227139F2298312A406EC959ADBD
                                                                                                                  SHA-256:DF6ABCE21AEDCF0106303877C88F0039C52BB5C5B98B537D9C079874965E9875
                                                                                                                  SHA-512:4999FC5AE69EF904460794C33D9E5642ED2E47A4104C6DC3CF958DC524159F59D3335547BCA5EFB182D87773124BC6E35C524B2488CE0EEBA351BE5FAF3DC5C4
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L..........." ..0.............Z.... ........... ...............................s....`.....................................O.......................P(..............T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................;.......H.......<5..,m..........h...0.............................................()...*:.().....}....*.~....*...0..........(....,..*..(.....o*......&...*...................0...........(.......(+...-..,..*.*.(....,.r...p......%...%...(,...*..(-...*.(....,.r...p......%...%...%...(,...*...(....*.(....,!r...p......%...%...%...%...(,...*....(/...*..,&(....,..r...pr...p.(,...(0...*..(1...*.*.(....,.r...p......%...%...(,...*...(2...*.(....,.r...p......%...%...%...(,...*....(3...*.(....,"r.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):34896
                                                                                                                  Entropy (8bit):6.290935546349103
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:K3wGplLcGsTK/lWNVz7MW+N92D1NlteVXEpYinAMxCwU:K3wMZ1lWL7MW+N0peVQ7HxRU
                                                                                                                  MD5:7D9DF905042D334B4A966BD1AA8FB08B
                                                                                                                  SHA1:3ECC8AD781DB2F3A01C09993BE7D31A878AF4105
                                                                                                                  SHA-256:7C6F7FF7350CDAD1F7025CB1B0FFADBCA99F801C7D0B9C2F11F5A9AE2F2E53A7
                                                                                                                  SHA-512:BF17D7A918469726B0325AE2BB35C00D1D5BF3BDA73FDF0397A432F271630A4CCEC2B4A30A677697F1E34AAE81D8FB37A076581C8B78C35B28141AE5ABFEE53D
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............" ..0..T..........6r... ........... ..............................V.....`..................................q..O....... ............`..P(...........p..T............................................ ............... ..H............text...<R... ...T.................. ..`.rsrc... ............V..............@..@.reloc...............^..............@..B.................r......H........(..h6..........$_..8...\p........................................(....*^.(.......7...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):71248
                                                                                                                  Entropy (8bit):6.13173802618335
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:pQuedlunqpC9yYxC9P7tt08eeykGlsESo3+7Hxr:g3KICHxC9ZJexRsG3+x
                                                                                                                  MD5:F85B82A5B08CCAA5359DF86C5A7EAF68
                                                                                                                  SHA1:6CA8520D247CF38F1D885B987B77892CC94397F6
                                                                                                                  SHA-256:EF4402FA640506310B85D639DFB2848DBA25DC9AFA331088F8EFB7F0877EE8C8
                                                                                                                  SHA-512:ADAD4A9E3BC20726986FBA733EA1C2A3490E1C15A92E339A4E0F187EBF0BABFB598F02CEFBB9F54A50343150E365F0D47B31A06054864D8C48ECD5F58445E31A
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n..........."!..0.................. ........@.. .......................`...........`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H............w...........d................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*^.(...........%...}....*:.(......}....*....0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(......R...(......d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*f..._....0X....91...X....*.~....*.0..........(....,..*..(.....o.......&...*..................~~....%-.&.....(....s....%.....*.r...p(.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):543312
                                                                                                                  Entropy (8bit):5.987161302939433
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:a6+HbUMHVgQO61+5ZpvsQ60OghEusa4UQgce0x7KjF76pkLzLFEnJEIfibgPKiU5:a6aRgsgfEU4UDcxkLzJEBsgPKiUYFHsv
                                                                                                                  MD5:76B3958BBDDF8E1A58B08581EB4B5CC2
                                                                                                                  SHA1:B51FFBD175BF70D20C4184FEF53764966DAB2393
                                                                                                                  SHA-256:0C13A1B28BAFB47ADB5D8B9E86923116258CB4E4CCB3C84310B360D4D004C145
                                                                                                                  SHA-512:7B43FA7B09C19B01E96B94028EF9EBE4CF44339437A517011702239BA247189F0D3EE8449E6913F82A41E86BA7E80CDFC9ADA9E7DE5423A38F0DBC434725588E
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B............."!..0..............3... ........@.. ..............................%.....`.................................h3..S....@..............."..P(...`.......2..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H...........s...........C...w..H.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.0..&........(.......(..../.(........(....G* ....*...0..@.......(.....3'..0Yn.!.~...~...i.?_b...@jY..._.j2..*.*.(.... .........*B..... ....s....*.~....*.0..........(....,..*..(.....o.......&...*...................(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):9728
                                                                                                                  Entropy (8bit):4.560006548424685
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:AiWWNv/jzSENtqcadVl8PandjJUf7ZJSqSi/ufPU1S5rxg0XWr:v1Nvb5adVl8P2djJMZJSGu3z5rxg0XWr
                                                                                                                  MD5:63E9B310597AC25A1CEAA55B6F0CC9F3
                                                                                                                  SHA1:0C5B170ABA511F479E593727CF7F562523EA7E8C
                                                                                                                  SHA-256:96B51BB87A1F4072D10B774FFADF81AF93881900571D21FE638E10E3FB0220B8
                                                                                                                  SHA-512:3BAF3836F8F42DF2D3444409115A3564B0961CD3141CC46E248E6E29A59EC773E511477D8DED4BE05125F2F45E987FD6F94AC5676C318A728B7CA63EB78E9056
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ..............................;.....@..................................9..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................9......H........4............... ......P ........................................H.W..Q.2.<.L......H.*...W.!".5....8...}P1......#....Z.N..d.....o...P.....@G...g.g..7.w.!V_..4..7.=.G.".8%..q..G....a...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):10240
                                                                                                                  Entropy (8bit):4.43329064965383
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:ycWWNv/jzSEStoC1vxx6hUltfxx+BE00cUnAPq115rxg0XWr:yc1NvbGVxx6hUltfxgE00cLq5rxg0XWr
                                                                                                                  MD5:94136496103CA7B4425EB6D639EEC501
                                                                                                                  SHA1:AC8F3F4E7C04D4BEEFBA94004A114880662C8387
                                                                                                                  SHA-256:A3A44472A3944FF0D5C31241BF6DD9B6AE04EAE03581D338B53E3E41EED7141D
                                                                                                                  SHA-512:04F4614C5BCF97EC643079D50FFA800B2F89A503E02D7DA6FF97AA463993A6964833068063C5A144C7E7D44BEAF082B43EA672F66B4E831EC2CE828666C4965B
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................n:... ...@....... ...............................x....@................................. :..K....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................P:......H.......,5............... ..\...P ........................................^M...=..A'R..\N.....U.{..-.Y+........E.?.......3.....#..9.v..2q..?..L..>s.SI.....}...M..Q.=.w....(<.I...,....>^..E..J..X..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):10240
                                                                                                                  Entropy (8bit):4.581775279455886
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:R/WWNv/jzSEYtPpmKJiDjgmlRFI0HYZDKz/VPH1g5rxg0XWr:R/1NvbdKJiDjgmlRi0HYZDMa5rxg0XWr
                                                                                                                  MD5:8C7822BE67F1576F2E11817826ABE40E
                                                                                                                  SHA1:9B9EDD5FEE4415CB7FB09F0940BEAAFF1C107EB7
                                                                                                                  SHA-256:C9A7CFE32AB4567D671A84397ABDA29CC92B21CB412CE0F0DF12352C68B7460F
                                                                                                                  SHA-512:70F76DFFB3FE25F1D3550BEC3C168805AB422C6A0505DDDD21EB2A5B59F24D5F37AEDE0DBEBCF16F821868789E17A87AE61442BE6525ECA0461C0146E4E6B850
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................^;... ...@....... ....................................@..................................;..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................@;......H........6............... ..?...P ......................................S...8cY)..6. .X.YE...W.....*.......r.~@.]\.D.3.....4I...P.u.....Y2Y.n....)@.xV.#g..V.tI.&.gy8....)U..@k..n...FF..w..6.) R.;..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):10240
                                                                                                                  Entropy (8bit):4.368843686720491
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:IiWWNv/jzSE5tyT1TNgr1nJIhZAf/07mPk1q5rxg0XWr:31NvbGTNgr1nJI3+07M75rxg0XWr
                                                                                                                  MD5:79C01911FD90F929CCBD1D4964D2C17A
                                                                                                                  SHA1:1878855F9C350B245C3258204A754770CAD776A3
                                                                                                                  SHA-256:E8F0F7F9E9F2D836AAA341A39D3B395B397BAC0B88F6DDED3F159A6C8D2D74A1
                                                                                                                  SHA-512:0C820224F516FE888621C09E3ED1870AC4B702AB97B1CE3CE4463445FC96F9D8798C97B6AE6ECFF1175D8D8EE8657052AF0E42D03B55340635CF9F5E65A9D6FA
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ....................................@..................................9..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................9......H........4............... ......P ........................................^V..d.~.R.t..i....v=.pIE\..#.}-{.u4....fIk.9.A..G....P_.S.u...w...J.AY....,.v.. ...A..."./..%.z+...".e..:.d....t.G...o................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):10240
                                                                                                                  Entropy (8bit):4.593201257102684
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:9SWWNv/jzSEYtq2dE1cxy8ON0Qsk96sPE1V5rxg0XWr:9S1NvbaG1cxy8ONHskd85rxg0XWr
                                                                                                                  MD5:437252DA54AB3171BC7DE366E5494AD8
                                                                                                                  SHA1:A4FCFD9240B28C836240D4CAA4C9EC8DE38F6E9F
                                                                                                                  SHA-256:9BFB9826E286B55AA5A580A5C220114063871B1EA8C541DF783A73EF8E72806B
                                                                                                                  SHA-512:8D56A2EF0DE3B3BF16FE4D931EE6D6A8119E4CD7B3FFA52AC3EF65CEA2A2F4C4E99ED536757546A54CD5A2318A1BA4E70E6425367402CFD06345FEA6EE8442C0
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................;... ...@....... ..............................._....@..................................:..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................:......H........5............... ......P .......................................4....4...L.."...J...%-..............Drc....4.....n.3Cw .r$y.4......%..5[YupFe....R..!`..#h.I..-3..kH..:~ya..P9....PD.}...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):10752
                                                                                                                  Entropy (8bit):4.84740063117937
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:AHwWWNv/jzSEfthb7O9JKggIOrCPPzm394in3fwB/CZPlN1O5rxg0XWr:AQ1NvbH7O9JKgglrCPChnYVC5E5rxg06
                                                                                                                  MD5:44CC811E193FB220954A0E56AF6F7682
                                                                                                                  SHA1:B1437F518F3D8E8DEAD506D7E352B69593486244
                                                                                                                  SHA-256:8CDCF449550DF3F9CACD3A8A41D19D6144BB0FED630825D6118D4077F637BC35
                                                                                                                  SHA-512:E3FE956494F6179D6A725ECA38FE0E0739A14300DE035093212B0169BED45374E3792EBF7DF916996923777CCB9842C04D9B954D30094D51CE81A892D8F49385
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................~=... ...@....... ....................................@.................................,=..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B................`=......H.......88............... ..e...P .......................................s....E..s....D6..|G....Kc....,..M......8..................}..\.bf..qe.T....w RF..B..y5fW=...N&GE(..[...._.H.....Y.c...ta..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):71312
                                                                                                                  Entropy (8bit):6.106692533939604
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:mxuAEP6SHdOP71+KXUk/lsQDzZfOmLeSo0df9Xzlu:eEP6SHdOItSlXfNeSdf9Xxu
                                                                                                                  MD5:0631D48880E7DDDDE2733C133BA486BB
                                                                                                                  SHA1:08BDC5C585123FA5F3B4D670DC92CBAA7620725A
                                                                                                                  SHA-256:AAD8B9A018FC4C4601EDC7C9169370EEE26628C4D90F967C947BA9A81EC4B224
                                                                                                                  SHA-512:3AD9C20EF888DBD78AD99673E2242ED45006F204FE704076C7791A681849E4A5DDFA9E38862F26DB8203262536E92F1757FDB6982A9FDE1625C3825D89F08A41
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T............"!..0.................. ........@.. .......................`......B.....`.................................x...S.... ...................(...@......x...T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......,...Lx..........$d................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*^.(...........%...}....*:.(......}....*....0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(......R...(......d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*f..._....0X....91...X....*.~....*.0..........(....,..*..(.....o.......&...*..................~~....%-.&.....(....s....%.....*.r...p(.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):801048
                                                                                                                  Entropy (8bit):1.7800450887072108
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:8qirVlWQX3WT56Os1HnhWgN7acWf53p13s5yX01k9z3Agrf8mNVf0nj:8BriQ+5kHRN76HcYR9zPrf8mrf0nj
                                                                                                                  MD5:7A44C33341844DBE9C6FA526AF88E80A
                                                                                                                  SHA1:0ACABD100F61A2F8B3C5E68A270599AD54EB8A39
                                                                                                                  SHA-256:68F73AB17FB7F4AFF3D35EF6DB0E9D5B0FA0151111CB3D03992E23BC29D6C40A
                                                                                                                  SHA-512:B81D63B345C193C6DEF17372311447D305AE167B2C4D1C2FDB0344D1E1EF5FF4F9D52599FFD862B2480825B308178737DF7E5E48C31E712339F009E92B6EAF57
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|'............" ..0.............&)... ...@....... ....................................`..................................(..O....@..l................)...`.......'..T............................................ ............... ..H............text...,.... ...................... ..`.rsrc...l....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................H'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......`...#Blob......................3..............................................-.....-...0.....M.................R.................h.....7...........[.....x...........D...................................).....1.....9.....I... .Q.....Y.....a.....i.....q.....y...............................#.....#.....+.....3.X...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):159904
                                                                                                                  Entropy (8bit):6.097873216527841
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:eXCCOOz54xuTlmyRmIazZ11Ip5ZUWISFogVJoQyaH5MbDiz:Wz5dQ/cpJISF5c8abC
                                                                                                                  MD5:950CD24EA3A9EFE5CCE594A8B228AFDA
                                                                                                                  SHA1:4609AC99EBD157E4C9BF7E276EEA961C4BB3AA4F
                                                                                                                  SHA-256:2AF781190AB7C97D6B846D5027745D609AD227665695E8ECB3AFD4CC9FCE6537
                                                                                                                  SHA-512:2E8D0DE29E62732458472B8FA5AC35C48416E6AA5034BE309F688A095E6222A215EA3318FA02358707FBB98918983F2AB8996AC6703585485533ED4975AB7E3F
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,............" ..0..>...........]... ...`....... ..............................T.....`..................................]..O....`...............H...(...........\..T............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B.................]......H............}...........D..0....\........................................(-...*..(-...*:.(-.....}....*..j ....n_ ....n3..*. ...._ ....`*....0..w...........o.......o.................o.....o/.......o.....o/.....(0.........().....(1..............,..o2.....,..o2.....(3....*.........?Z.......0..K...........o.............o.....o/.....(0....(*....(1.............,..o2.....(3....*.........)8.......0...........(+..........*...0..g.........(...+....o.............o.....o/..............(

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):86816
                                                                                                                  Entropy (8bit):6.013720216920584
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:rqz3g47M9YIB/nRPP6eyO0MIq6y7suFvTbqtN0p7pqHUzH:rq3M5ftPzTLIq6y7sgytNK7p0Uz
                                                                                                                  MD5:AAB8F9887FA45F30FE04472352E5AFEA
                                                                                                                  SHA1:8244D05575D13E605B22538D7AE66D4805BC45C0
                                                                                                                  SHA-256:7DFACED56145F3C6B80DE25A09E0DF6729149EF3C6A8F8F1B559E93B914FD2DE
                                                                                                                  SHA-512:97BA85978B48324908427833374CB3C19DE01F136D29A3ADCAC350A0555B30087513CD33BB7B18F0CB52CB3E8884E0ACD1BD256704A8B96EA0C4CA8A0F8135CE
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............<... ...@....... ....................................`................................./<..O....@.. ............*.. )...`...... ;..T............................................ ............... ..H............text........ ...................... ..`.rsrc... ....@....... ..............@..@.reloc.......`.......(..............@..B................c<......H.......hP..............h)..8....:........................................(&...*^.(&......K...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*6.~'....((...*R.~'....((.....()...*..(*...~'...(+...-..(*....s,...(+...*.*2.{-...(....*.~q...*...0..........(....,..*..(.....o.......&...*..............$....0...........(.......(/...-..,..*.*.(....,.r...p......%...%...(0...*..(1...*.(....,.r...p......%...%...%...(0...*...(2...*.(....,!r...p......%...%...%...%...(0.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):9728
                                                                                                                  Entropy (8bit):4.709151479489131
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:0uWWNv/jzSEhtiBbSEmfO2mdqeCtzEc6yCPVo1L5rxg0XWr:J1NvbcbSEm22mdqet+ws5rxg0XWr
                                                                                                                  MD5:90289DA899746E328816734D723C93A0
                                                                                                                  SHA1:6AF8E30872729E89FE0A7C01D99DACF4AE6726CF
                                                                                                                  SHA-256:2B3853CEBEA222ABB31C2B1E3D6CD19A2F6621ABB56954162751A2B592680676
                                                                                                                  SHA-512:ABB6FE5216B412CD85E139D69657A40BEEBA00F2DD0DF1795AAD8CF27C13D9CE0EB2DCF3904CA445678D689CE56FA2C169ED7B40490181EA6B770B1A634A6D4B
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................8... ...@....... ....................................@..................................8..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ..............................................~.Xi.....05.]..sE04.hg.'...../.K'l..a..m..Z....q..m..4&....h....le..|.Z...../.....!*............<.XV$!./..})................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):9728
                                                                                                                  Entropy (8bit):4.7267524338984295
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:T2WWNv/jzSEhtimYtEq40uI7Sr2fqmxkNeo7R7L7c7xM757odHK9nPo21f5rxg06:a1NvbOtEq40uYSatEdHwWloA9Pb5rxgJ
                                                                                                                  MD5:2356F25971B72EDBB3303AEA1BEFB9A1
                                                                                                                  SHA1:60780C3E4F36829A0038BF56CD929148A0A0523C
                                                                                                                  SHA-256:99C3F55737EBC53BA4EAA92FAAE23EC8AAB9149826E5D821D6BC976706BED237
                                                                                                                  SHA-512:3252FE8D4A04F4EF79DB76DEB446FBA236E0B281E0B1B35488198D8A5D8EF0F4890ED68DB0E93CA17CE3783B6A6A4D71EF5F8979F917E05D4DDAC638DF082A60
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................8... ...@....... ....................................@..................................8..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ........................................u..q.:7i...g.'=......a.2j.V.:}......o.....F5.Sv....v.|...(.':KP.d._..D..s].Nx<..e........k.......P.0...h")g..N.>...@...).6...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote.zip

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1152141
                                                                                                                  Entropy (8bit):7.9996934105504405
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:24576:Y0MtJOalt7fQwfM+tshGvx5LBhqAc9sDQPfs8+5iaSpFiz:65Lm++hGZ5LnZMO8f+5Aiz
                                                                                                                  MD5:9A9B1FD85B5F1DCD568A521399A0D057
                                                                                                                  SHA1:34ED149B290A3A94260D889BA50CB286F1795FA6
                                                                                                                  SHA-256:88D5A5A4A1B56963D509989B9BE1A914AFE3E9EE25C2D786328DF85DA4A7820D
                                                                                                                  SHA-512:7C1259DDDFF406FDAADB236BF4C7DFB734C9DA34FD7BAD9994839772E298EBF3F19F02EB0655E773BA82702AA9175337BA4416C561DC2CB604D08E271CC74776
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:PK..-.....}BrX.j5.........-...AgentPackageADRemote/AgentPackageADRemote.exe....0........d......0.....r...,.. UMA...|f-].=.U.j..p.....r..f.<..Z..g}m..LC.T.....Y.{s\.k... Y.....4..}..h.<L......L.........z.i9.K..~.ue."#"r.r..p..0.\./R...C.w..8..-.3.t...(.c..P..N....q.v&........u.a.e...]...9....r.@.=\v..B.~{|c.j.S...JL!g..Y@Ts9D$...)P.......{..8...Y...K...Z._".@.....a.8.P..7...ZY.-D8f\..ej.....@.w.$R>Q.B.....V..@..9....zdB..x..GK.....LDp...Xc......x......*.u..R..,...#...Q,.V....}..W....oT.._6n.g..bK.p.s...pABSv0.7..'.JK ....b.Y.-.B...!'Tjsn...."V......B.@.<CQ.K....>D.5E..w.'. ._%E..-......7.M..u1nr.7....T[.%6..t...Z..Q.;./....k.V....J-.\`..d...K.c. ..D.G.j.../..z..k.KH.....!..M...8....fr.......m....2..4-... ..CF...skN*.kv.E[3."gi3.Uv..*.S...n..~...)..!V..>...D..2..b..}..xW.ZPd..X\.g...1.RY.u.]p..Z b%r.....Hc.N.+[E...Q....3.K.H.....)NQ@L......./2.v..q...*.-:%... "...`...i..+!.D..q.];.ARRrQZ.B. i...M...Qy$.....p...A.U...=...LHF%...]..l.S.pl1....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):52272
                                                                                                                  Entropy (8bit):6.139785828189609
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:avB4oeg/Po2Obb95bmrpeALHpZAgEpYinAMxCC8:ruQpbHbklAp7Hxx8
                                                                                                                  MD5:3180C705182447F4BCC7CE8E2820B25D
                                                                                                                  SHA1:AD6486557819A33D3F29B18D92B43B11707AAE6E
                                                                                                                  SHA-256:5B536EDA4BFF1FDB5B1DB4987E66DA88C6C0E1D919777623344CD064D5C9BA22
                                                                                                                  SHA-512:228149E1915D8375AA93A0AFF8C5A1D3417DF41B46F5A6D9A7052715DBB93E1E0A034A63F0FAAD98D4067BCFE86EDB5EB1DDF750C341607D33931526C784EB35
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0................. ........@.. ...................................`.................................p...O.......................0(.............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........B...s............................................................(....*.0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.0..........s....%.o...+o....o...+&%.o...+o....o...+&%.o...+o....o...+&%.o...+o!...o...+&%.o...+o#...o...+&%.o...+o%...o...+&%.o...+o...+&%.o...+o(...o...+&%(*...%.(...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1782
                                                                                                                  Entropy (8bit):5.026919218581437
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:3rrb7h+1/gYo27RgdSagFsg+w3Sg+CjdgDt:7rn4cwCR
                                                                                                                  MD5:13CFEB2261E4DAEAA3C06F7A60078F91
                                                                                                                  SHA1:D76B6D07D8FEC75789025FBAB18048AD193B1462
                                                                                                                  SHA-256:6BBDCC477F0C1EFBD0129AC7716F96CC2844103169AAEBFF03D4C8F5C54745D6
                                                                                                                  SHA-512:F804155363FEB09427F7C8E968EAAA7DDA15F739769864A23C8A0FC9137151A03F02FB30B11F47A69DDCEFFF02BF933721C3757A3FB78C705D0537205BBD3A92
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.ini

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):11
                                                                                                                  Entropy (8bit):3.459431618637298
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:WhTLV:WFLV
                                                                                                                  MD5:530F2E4E5E3DDA283DB3C78CC0C13297
                                                                                                                  SHA1:CF60B778D32C9562B94411DA9DCD8FED2017AB84
                                                                                                                  SHA-256:447163A4A3F1F10AFD9EC48F915085B3236F0FA7EDC9973C16925EDB5F6CF0CC
                                                                                                                  SHA-512:DD4F7AF9A0F57707D1924BB504D3FC267B4898B909CF6E6ECD274BBC9B487A5CE5D8000E3FAD6EC0061E565C728455965C91F1B4E380227264AD2EE3E2990E28
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:version=6.0

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):95792
                                                                                                                  Entropy (8bit):6.184818983275012
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:GQ7brNBoXFbuhpLHbTOgemUu7+n3uRw1FlQRd5JY4t5K56y0sDrUfvPrhZwLXF7X:GQ/iwLWgeW+neRw1Hyd/YCs56y0sXUfG
                                                                                                                  MD5:23C8674C75D5944445BF1C035E4A4789
                                                                                                                  SHA1:A1255CEDEAC9F9A04B50C7814CD7C61A50623A19
                                                                                                                  SHA-256:D2043F878740F643BF91F3EF798DBB9747904A1D503AAC4ED2108131F663AB37
                                                                                                                  SHA-512:52ABA8350A05E9E5A672CB04CE528CFC4DA009247B2BD8B63096AF9A37C1F352A4C2BD12B03973AA1E733551F94F542814E425223DEF2AA33B595AA2DC555A95
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Bd.........." ..0..D...........b... ........... ...............................{....`..................................b..O.......8............N..0(..........la............................................... ............... ..H............text....B... ...D.................. ..`.rsrc...8............F..............@..@.reloc...............L..............@..B.................b......H........j..l............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tQ...r...p((..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):95280
                                                                                                                  Entropy (8bit):6.002764283325334
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:ocNQW9Tbp/VgiZi7sT5gdBxYJMcTnbJkI+eD7HxSR:ojobJVgiHMcr5Da
                                                                                                                  MD5:10961147A546FFCD8B7C19771BA70198
                                                                                                                  SHA1:5B63EEA0B2E53DB81AFB146D469E899E1E67DACF
                                                                                                                  SHA-256:95C53735107ADCC39E6C3268335B2AD434E2364A007CC97B2147AF3A6EE837F3
                                                                                                                  SHA-512:9830450FF9E8D2E6B74D8D8938A18DFB1BA008249D389FB923D5AAA25B7F8F9E5BAD4CB3FC13100C5F53B0CCEDA4E9427E90F2B733EA9BE0FFAA5D5F165C815E
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..B..........Za... ........... ..............................~.....`..................................a..O....................L..0(..........``..8............................................ ............... ..H............text...`A... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................9a......H.......4i..,.............................................................(......}......}.......}.......}........o?...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po#...o....*..{....o2...r...p.(....(....o(...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16432
                                                                                                                  Entropy (8bit):6.656654225594367
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:5Xh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl5XqQ:5Xh+tYmNyb8E9VF6IYinAM+oCaFXF
                                                                                                                  MD5:96703E15C375B8A701C9D1F5BE8C4149
                                                                                                                  SHA1:B058FA32FBDA52D70C1B966640B4824D5487ADC4
                                                                                                                  SHA-256:3F830FA8F22EB09D59088705E26DCE964FB430722E91630B03EB15FCC48359A0
                                                                                                                  SHA-512:3D7515BBFD018BCB24C69235A65F401BCF00D6932E412696FF31DC6EDE9436B2D4E5983450C9F88AF7B52D18949B4C1EFFEB9C3F94E85DCE57C4495F21D21A86
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):52272
                                                                                                                  Entropy (8bit):6.410547751816252
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:KQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAM/:K9ML8LW/usybGYVE8mZw+89Wu1e7Hxas
                                                                                                                  MD5:20FC2DB17D09554BBC37785B3644DFC3
                                                                                                                  SHA1:AAC4CA54730DB46145748AB419CF6BE3B39D2A74
                                                                                                                  SHA-256:4151D6C627A324D9F2991A4D98BB7544926DB41B3211EDC1B2085922B1D1FC46
                                                                                                                  SHA-512:62F6711FD2861BEA0FC214882678CF7F98CB53E8AF858C46CCC1F5B1F2FF9C22DCBD3A184A9DE9AD2D2148F0B529426DE7F793A63A459D72D2DCB048DF4E40FD
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ..............................&.....`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):398896
                                                                                                                  Entropy (8bit):6.13440642371392
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:hjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvr:h+e55LgIkTmyAAfTnMLvr
                                                                                                                  MD5:A79C5395D945A1A369EA05D73B1170E4
                                                                                                                  SHA1:937D030106FD7E88B61E4F4D1AC28A3B9FFA0AA4
                                                                                                                  SHA-256:7580F72E7059A9DBCF41C94DC69ECCA0B3A983C010DE86B9A509A701163AFEC0
                                                                                                                  SHA-512:176C719C2595A6A01041EC240D5341FAC5AB6137756FD70F71A1B5C5A6E9A923FB61760808840D439CDBAB70ADFAEE137B13600875E0BC3A209E501DB84C2AAD
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......^....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):883760
                                                                                                                  Entropy (8bit):6.071525670553409
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:Y1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQm:Y1n1p9LdRN39aQZUq3
                                                                                                                  MD5:022108AD251A8942E295269CA824DE07
                                                                                                                  SHA1:05CE96EB21FF69C5ACE572405A39936E594B7043
                                                                                                                  SHA-256:353FC27D930C31219086C6D391B0502AC298F6084DFCB3EA423DD1DAB3BA1907
                                                                                                                  SHA-512:49028D3C1C7C8FAE813F294577B97EB0C66F2D62DF880072AD59679460D55A6DEB1546DDF07A7353563910E21F4D53F5FCB4BD421887D7B75429083CA200C16E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710192
                                                                                                                  Entropy (8bit):5.960711597816388
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:yBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUc:yBjk38WuBcAbwoA/BkjSHXP36RMGl
                                                                                                                  MD5:25879E885A79F4548FD878EAF4A82396
                                                                                                                  SHA1:AFB8D0BBD5687D2FC19C7A3FB66EA3DF1886DB8C
                                                                                                                  SHA-256:3DF7B27F8649C95C56F1F68A040F29FB28EFF6756F8BA78C480DFBB541E59E4A
                                                                                                                  SHA-512:39EB28B89A077D37FC8076A364B26ADFD348F6DC891AC08FACCFB071D3806C32AC0A3A5D82E8D4DE01DF6F9E1C4271CCABFA8FF7248CF6886BEF8FE4BDE51B6F
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......5.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):284208
                                                                                                                  Entropy (8bit):6.117274836584594
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:NZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHU:fgo0WPVTXg0
                                                                                                                  MD5:66DEBCC5962642D31706EA1B067288A3
                                                                                                                  SHA1:FB6A76C0E5189F66FE1D0E192349077A45BF437F
                                                                                                                  SHA-256:8CBC47B453EA20F1EEA3337981A1A975A16B68B27AA156831D2B4AD0B63EA980
                                                                                                                  SHA-512:5C485C7D319BA9C019FBDCA48833D3628E6D9EA6F3AABFA47A519C363BA81D11265427FD470D5D665795B010A26E751DA404DBD70895E5EAFC83CBD50D83ED2B
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):22064
                                                                                                                  Entropy (8bit):6.676829122620627
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:Ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqXLP:TuhMaVmzDC67EpYinAMxC5
                                                                                                                  MD5:C3CBDF33261AA0BAA8C11B4D713BA911
                                                                                                                  SHA1:A486A2CFA6EF16B9DD005C689C767E47BF18D5A6
                                                                                                                  SHA-256:0BD8B6B5D401001A2003486077BC095A2138B42DE7A52B212BD7A4AAD72A9E35
                                                                                                                  SHA-512:132600340186128C7B8EA40D77DE9E5359A52949E7EE815CF959E2000A6EE178FCE26A2AAA2EBC56A48318EEAD3038189567CD5D14F9E977780373649C83F41D
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):97328
                                                                                                                  Entropy (8bit):6.241615255803021
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:rNSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxhP:rN3OWMsQ56vd2s+KuYc9RTJrP
                                                                                                                  MD5:259DAAE7BD386F6AE1C50DEF93F9A274
                                                                                                                  SHA1:70E68497781C4E7B931B11E9EFE702ECCFBC3AF7
                                                                                                                  SHA-256:859758492E07C9297C1C5A0A31FA30129C23D479F442ADE01F4A51F78A0DED08
                                                                                                                  SHA-512:8D25CB5982E2D8A5EFA0056C120E1BD5AEC7E28DE4DEEC9BFA2BAEBFB0FABDC4A12369F901C8415CDD3402C9A0E8F8F338C1C5E3FEB1A2C0F45ED446AB80701B
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................d.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):138288
                                                                                                                  Entropy (8bit):6.18032959054322
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:g3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnJ:S0qjCSRE+fw0kG71S
                                                                                                                  MD5:CC3FFADF699BFB7F10A176AE306707E8
                                                                                                                  SHA1:C0824E4E57FEBEF32E904E540BA369BB77ACD15A
                                                                                                                  SHA-256:D48B4C4D3BED0F4662B98E557A0EDE24B6C3745E7BFFC114164A2FD33D947904
                                                                                                                  SHA-512:BC648768FA54D6F9A0FB70CE88960EE2137712FD7056F8FF28D2E222871D2FFA96B97C81E21D84CD71EA336F29D28977EAB57D858B2B7D1D7C7B2B01BB455C32
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`...........@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):17968
                                                                                                                  Entropy (8bit):6.672454142602205
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:Nh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeB7f5DxmX:Ny9eEpYinAMxCA7xDxmX
                                                                                                                  MD5:2BBEC1A6C6C64499CE0A4EDEA5D0C629
                                                                                                                  SHA1:A1C39059B887B7A1BDF93CAB3237413D5948BE26
                                                                                                                  SHA-256:D80E6D1C2A0850A2FDCA5F16A259130B08DDFE968CDC137253221CD4600D53CA
                                                                                                                  SHA-512:B27639E9D30FD23461723708D4067C99AA3162FD8EF935AD5DA75776EBB46F2D11BD0FCA211BE35A195CE3020E10E063F66FDDDEAC0624392143B856DC23C174
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................q.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):384064
                                                                                                                  Entropy (8bit):7.999354812539926
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:6144:oT+//Q9zzulKCWBQWv2SaUi4QGX46RIpikyZVsEJ4edsS5OmBOGapgfFwchugV7h:o6//QYKvQe3as3vt4edsTEHapgfgt2/l
                                                                                                                  MD5:62BA835DA9186B6F9ABA75DB02BDA457
                                                                                                                  SHA1:73CF400D8CA1E32DC336344778E43BA5F077659A
                                                                                                                  SHA-256:3F7E666C873A00E2FC36561CA3C6554D64EE592CA6D7AAE44C1D578A4BA952C0
                                                                                                                  SHA-512:AD12DDCF069B1E41895C6FE95B4206AFD5E41FC36078323B0CF5084A90322106366B1058FD19F4A7A2E3298B59EE06CF8DB75DFCEDAC3377211216A81DD86CD9
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:PK..-......G.X...M........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....0................x..$.C"c.._.9..).....o...."\..`J.<..5..`..s.wUA..H..?I....L.P6`.)#.V...HV...T....C2P...(.D..y..O..%..[f.....U... c9.G@..g.......G!b....:o....7..~.h.s"5.1.u...\}.{l....<Yz...rj.2H6.......K%....SR.3.cg..*..o..z..k>...2.T......nz..L.....*.b."...R...p..k.=3.N.I...c....ht..*..Z&i.J{..,:..}... .2.........e/S.....{wr.+.=.....#`.LKl....4a.+B.:..T/s?..9.,#T..w...;.Q.X.F\-..Z.......`W.W..Y...j.E.......;..74..W..d.....o..x.m{...a...K}.....i)..H.a.*..<.m.;..I..1..Z...v.i....!.*.'[..`W..!../.<...."..u;W!Zgkfr.xn..,..8..{u.E. .#5F.. .(jD....:.&S..D.&......g-B#...:.2.....hqH..YY.......`..Y.;*.g.>0.......@d.=...Oiu....<.H...z..j.6.|'...9 >..d(l..B. .....5Pl.......cT...(L0....s.8 0.....k.e.pKo.).2P.'b."`d.N...u.%.l'z$W.....,j....OY.X...%.(..*.....{s..l...H6M.>S......@u...^c.#e^..l.......wU{..L3....5......K.xU....~.;.0....=.....a.j....o...C..~....$.(

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):176176
                                                                                                                  Entropy (8bit):5.810538753278762
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:8hu0H1+EJQCH77wKu8MFZYfAZN8nCq8vwzZhq7tZ:8hu0H1+EK27wKu8MFZYSIZhqn
                                                                                                                  MD5:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                                  SHA1:F0EC4BB9BE94EE250ED38E88A87B65E727A9A058
                                                                                                                  SHA-256:C46A613D72F89B5886A79B742AA845152505734642188EA710716F63FB775C77
                                                                                                                  SHA-512:1FD0EADD36D9058E7BC4AC06108B0430ABD5D43BC14100593352FD2F5639547B92BD7AE9691E219A26A90A80E4427DAE687A2312DCA0A48F71DD3ACFF9494752
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(}f.........."...0..|..........f.... ........@.. ....................................`.....................................O.......................0(.......................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B................H.......H...........8.......,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.k.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):546
                                                                                                                  Entropy (8bit):5.048902065665432
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                  MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                  SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                  SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                  SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):12
                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:WhWan:WTn
                                                                                                                  MD5:5114AE785BDC99E7A17BF2CDA7D29A72
                                                                                                                  SHA1:3DE3B2F755C832B8D5E6C0EC409448E2F559FFD6
                                                                                                                  SHA-256:69DFFBBCA4B0D194104AF8F2E0FCF2B8019BE844149151B35AC0777A26FDA2DB
                                                                                                                  SHA-512:87243F0B4B8E45408B39D209FA7AAFF2A844D58E73C431F7887C90B000FD19B12048987218598945D4FAA0FA75FDAEA83FC50583175143DF737134A2BDD27D03
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:version=37.2

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):96816
                                                                                                                  Entropy (8bit):6.18002703527251
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:9Jt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7HxwX:9QUm2H5KTfOLgxFJjE50vksVUfPvCy
                                                                                                                  MD5:DDC6B969B5DB1626766381FF12340FA1
                                                                                                                  SHA1:6AAA12B989EDAAD22E1DB21127DDCFFD8951930A
                                                                                                                  SHA-256:CEBE42FBEE50769C3CF9CE1ADEB4FA85046802B7A298BDEAAC3278CF4B653525
                                                                                                                  SHA-512:B86D9C2E1234960F6614B6E6D790EEAFB093DB4CC1C9A2C4FE55EF0D4496D79B673F1B373BEDB036D23246FE1D3B7370FC0A195F59508A0566BF101401480F6E
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................i.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):704560
                                                                                                                  Entropy (8bit):5.95412318973471
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:t9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3c:t8m657w6ZBLmkitKqBCjC0PDgM5M
                                                                                                                  MD5:6EB75A19A6AB8F9DE3886261B399A8F7
                                                                                                                  SHA1:7FE98DDEC3FAA1362167BE26B5455283E7777881
                                                                                                                  SHA-256:D1A4D5FB2B89A96A3EFFC149D0A32B72182D37B59414AAF78E202D91CF408A68
                                                                                                                  SHA-512:383C477438A3654DCF5EB984626715D14AD6C771692B28326EE2212034F8B70D4430AEAE677532C66619883CBE86456602E544F2E0F0A98770F69BE3956504C1
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................................`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):4.671387678423969
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:hsShKq4MsShLP6SX9NfzyShaKf0OE0rEGShaKf0Od:J4qBX9Nf1Qd
                                                                                                                  MD5:D252DAE0433A033F492D0FDF688002D2
                                                                                                                  SHA1:430DDBC6839E5380DDB80011D8B3CA32CFE2E659
                                                                                                                  SHA-256:7744963F92A980A160B1744EDEB559DA2320CC9ABC279771688293842E6780EA
                                                                                                                  SHA-512:7D8B59BE93083E1EE4FA0A9793679DC1BF8E4A199852E28412D4F3FDA99A306242C17989106585722AE907FF4CB07A1221E622CDC499E6E248E5E860B15B6164
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................TAgentPackageAgentInformation, Version=37.2.0.0, Culture=neutral, PublicKeyToken=null.....6AgentPackageAgentInformation.Cache.CachedDynamicFields.....<DynamicFields>k__BackingField.<Timestamp>k__BackingField..JAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto[]....................H...............HAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto................................................................................................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):35
                                                                                                                  Entropy (8bit):3.9001530166977125
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:UBXDyUVNxgmXWTTmK:OXDyUvm+WTqK
                                                                                                                  MD5:C9462D7F0963F1327C7A268C610D0B82
                                                                                                                  SHA1:25A1CD7259944ED415CF6FE5ECACC49B99D2D0FF
                                                                                                                  SHA-256:A84E9081883F673505B2BD6D0E66104D97659AE950A4B3140AE9C990CB6EC614
                                                                                                                  SHA-512:9171923F55D079E81D58E2039548F548293C4DA92775F1F5164BD583680C186B1A031BFB8CB2EC6E8D168FEF55BDBE63816A64DD7979790629A6DDD92531C804
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.60B7E8B2C0E41A800B2DEC7A366C9969

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):35
                                                                                                                  Entropy (8bit):3.8861465882499107
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:1SiWgLNR:IiWCR
                                                                                                                  MD5:E72C3ABAE38B7E08ECBA06285A0AD28B
                                                                                                                  SHA1:C03CD285CFB0BBA7E54DC0ADAE239B46B2274261
                                                                                                                  SHA-256:325857691F11316854BBD39873EEE89D971384984DDA801BDCC59F08C07B45CA
                                                                                                                  SHA-512:6F3703CD369DE07A96D46535ABE2528F1C22823903FD0CA650BFA5F61D3A63D64363B59AE072DDF4AC03EE2AA7B7355671DF2725BCE57349D1FF552E099F346B
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.ECA830C1543EEA5896618FECF968B0B4

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):328916
                                                                                                                  Entropy (8bit):7.999290842463468
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:6144:EQjapzpRU64iYUQf9N4E/xWTUugwXWBoJW55fJKsff+Idm3lqd0LNIN/Hggh:EUaBXU5BjfcE5WTkwGRfQY+Om3lqdv5
                                                                                                                  MD5:D3901E62166E9C42864FE3062CB4D8D5
                                                                                                                  SHA1:C9C19EEC0FA04514F2F8B20F075D8F31B78BAE70
                                                                                                                  SHA-256:DBC0E52E6DE93A0567A61C7B1E86DAA51FBEF725A4A31EEF4C9BBFF86F43671C
                                                                                                                  SHA-512:AE33E57759E573773B9BB79944B09251F0DC4E07CDB8F373EC06963ABFC1E6A6326DF7F3B5FECF90BD2B060E3CB5A48B913B745CC853AC32D2558A8651C76111
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:PK..-.....'gqX............/...AgentPackageHeartbeat/AgentPackageHeartbeat.exe....0l.......?........F0..6\.q.......<.......I.3. &.;.........O.;d.&.U....".' ..}P..u+0.`g.Z..Zq,...w.1./..UD....F.a...B=.....!.. .=... .#7A.Q..o.........+q.C5 . 1..Ud...R>n..Y.9}>z.....yE7.}!sn....p1(e.....}T#>2/..y*7.@.<..J..q......3.4....M..."/"..cS....9pT.dn.:c...&..,H.e.....r...X#...m...V..ZP......+.h.R. .8.......!7FNa.`.P;.......P~..U.x.K.D8.&.vQ!..xn..~cNG.2._L.},..........:.J...S.y..-J...K.z.H.....z.G.6....d.b.[..9......Q.r.T........#..+..b6<...p.}......!.5.&l.E..4.F8..Y...."/.b.....................(.......b..&.6...t..%.(A..X{....H4....[.....}.......n0.:.......s..wQ.&.J\|j.....7=b+.L.t.l.0.{G.Jb.Jy.U.kG.....p-...^..g.4..RA.R..........~..5t4_...Z...h..J..........t...C3....{K.h...F..W$...U....-55....Hi.......m...............x..........)...F.p....r,}}L...i:q.Y.O....`L......yY...N..J]....T..~_|.Bh..p.w%0.H.%D...p..RM`..e....TJk..(..\.%......4..N.<..^..k/_..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):27696
                                                                                                                  Entropy (8bit):6.448893455648887
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:TndoS4jOhWCHDIJNQnt96+aTkdMEdcG7UhZPWU1Nyb8E9VF6IYinAM+oC8Z1KTm:Td0SkSeIUhrREpYinAMxCm
                                                                                                                  MD5:797C9554EC56FD72EBB3F6F6BEF67FB5
                                                                                                                  SHA1:40AF8F7E72222BA9EC2EA2DD1E42FF51DC2EB1BB
                                                                                                                  SHA-256:7138B6BEDA7A3F640871E232D93B4307065AB3CD9CFAC1BD7964A6BEC9E60F49
                                                                                                                  SHA-512:4F461A8A25DA59F47CED0C0DBF59318DDB30C21758037E22BBAA3B03D08FF769BFD1BFC7F43F0E020DF8AE4668355AB4B9E42950DCA25435C2DD3E9A341C4A08
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............"...0..8...........V... ...`....@.. ....................................`..................................V..O....`..P............D..0(...........U..8............................................ ............... ..H............text....6... ...8.................. ..`.rsrc...P....`.......:..............@..@.reloc...............B..............@..B.................V......H.......t-..x(......2.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. .... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.rW..p*.r...p*F.(....r...p( ...*.r...p*.r...p*..(....*.rM..p*.r...p

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):542
                                                                                                                  Entropy (8bit):5.041389931890446
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                                  MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                                  SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                                  SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                                  SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.ini

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):13
                                                                                                                  Entropy (8bit):3.5465935642949384
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:WhUv:Wm
                                                                                                                  MD5:27AD88A291FC97D97FD773334DE4E487
                                                                                                                  SHA1:04B5DB46F05E02E2EC94B8A0A3447EA41FA4089D
                                                                                                                  SHA-256:4E7F8923223CB32E5D376EBC0C5361DD97DB201848590C4877D586723142B49F
                                                                                                                  SHA-512:5B21A87E19D4E3D7A14DC05C815B8D06500695360AAD1F54D2D3713CF05F646E9E7D559551BFE2CC2CDEBCE29A1991BC80AB2B11DDF79A4033897B34DCA40521
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:version=17.14

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):93232
                                                                                                                  Entropy (8bit):6.196023578677744
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:5Svbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hxh:5S8UMW+BV5M+5Nn0kom/RSz
                                                                                                                  MD5:BD539D820C8163E9E86E59B99ADEDD22
                                                                                                                  SHA1:FF367525BA06F8B9E611A82CFD57411BA4FBD1FE
                                                                                                                  SHA-256:04C547E06CA956DB2B929CC2B6B695A649FF0F82C52E56F2677A887E7D9616DE
                                                                                                                  SHA-512:FEBB46D70A5466C85087BD4E42FBA81682CF398739F7EFEF43982C830CCFD6FCEC4613F0B5542951A463161C891EE9F378CD4D2B15B1659DCBC0E15A34BA677F
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ...............................F....`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710192
                                                                                                                  Entropy (8bit):5.960415778826794
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:fBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUs:fBA/ZTvQD0XY0AJBSjRlXP36RMGx
                                                                                                                  MD5:3DDA2732842FCAEEA0477F18D85CB584
                                                                                                                  SHA1:D70016DF3F407CFE1BE6ACF63CC80A2B40F8212B
                                                                                                                  SHA-256:EF3F8313AD94CFB9C2E8C95B54433F112918A0542C341763B19C0B2C6914A71D
                                                                                                                  SHA-512:3403842EA1DF9F314EFF6E78F36F215A4E371B01B1C83345B7745737FABB092BDCFE63F78A29FB5FAD14825DA1C7AC286CC8BCA02B0FC3056620FE268D4FE6F9
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......Ee....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):833993
                                                                                                                  Entropy (8bit):7.999644881255343
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:24576:peRqTiLR3omp/AAzr5nxL2CP+sZ4tgMfQo:p8nLR4WYA72CPPoKo
                                                                                                                  MD5:9B1F97A41BFB95F148868B49460D9D04
                                                                                                                  SHA1:768031D5E877E347A249DFDEAB7C725DF941324B
                                                                                                                  SHA-256:09491858D849212847E4718D6CC8F2B1BC3CAA671CEB165CF522290B960262E4
                                                                                                                  SHA-512:9C8929A78CB459F519ACE48DB494D710EFD588A19A7DBEA84F46D02563CC9615DB8AA78A020F08ECA6FA2B99473D15C8192A513B4DF8073AEF595040D8962AE4
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:PK..-.....;9rX.9..........9...AgentPackageInternalPoller/AgentPackageInternalPoller.exe....0Z.......U........ee..Th8.............t.v.g....g......M.........c..K.`|.'1.W.g.;.W+.e.....D.."|...]-:.To.:.`B(.E{.T.?..z...&.....g.....1.,km8.....Y......WZm;..!.....k.....iA...~.zK..EW'.....p.A....Q6.~S......A.......6....h=C3N0y.$i....M...N....C......I.....UCp.p....x..WQ!.p..>.'N%.2Z.l.R8./...%Ew..T..yy.....q...U.nqH......".......n.6M..P.:t...t1..r...!9Z.N.X.s8.3.9V.a...m8....LpWS..O.8..R6..O.l....e|(..F...Og.h.0..,..Z.H....Rl..L.N.9.\...."4..%..A.<."..Iy...:..GBw_1......3.y.p...a...*...l..._.FI.Z.....+.L.....]Y.K|RM.Pf..in.........93+2.QMH.t......<...3.. ....2..!....t..)).I\.qw1.'..J...J3".K'rt.h.f+.I.7...q.MK......V.._!Q.].w..au.[.brv.T&..Lfm./..J.$.m...... t.u..uQ...L...\...M.Ihp.rG.J..C".....d.....;z..d....L.p.r.c7....q[2.e.........!(....Ld.....M..9...M....>EN&dY.]....>QUJ..N.+d.cr..].D.o.........?o.~@....@..D[...5.C.eP.a.....;..:.._v.....R

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):219696
                                                                                                                  Entropy (8bit):5.943430076853408
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:It3Mf3ZwYUPEpbPwygJQetg0+BpU3I0toxhGf:2MfJPpjYN8hI
                                                                                                                  MD5:01807774F043028EC29982A62FA75941
                                                                                                                  SHA1:AFC25CF6A7A90F908C0A77F2519744F75B3140D4
                                                                                                                  SHA-256:9D4727352BF6D1CCA9CBA16953EBD1BE360B9DF570FD7BA022172780179C251E
                                                                                                                  SHA-512:33BD2B21DB275DC8411DA6A1C78EFFA6F43B34AFD2F57959E2931AA966EDEA46C78D7B11729955879889CBE8B81A8E3FB9D3F7E4988E3B7F309CBD1037E0DC02
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..e.........."...0..&..........:D... ...`....@.. ..............................h)....`..................................C..O....`..d............2..0(...........B............................................... ............... ..H............text....$... ...&.................. ..`.rsrc...d....`.......(..............@..@.reloc...............0..............@..B.................D......H........@..$.......f.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...x )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*..{ ...*..{!...*r.(......}......} .....}!...*..0..Y........u........L.,G(.....{.....{....o....,/(.....{ ....{ ...o....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):541
                                                                                                                  Entropy (8bit):5.097123194334321
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                  MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                  SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                  SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                  SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.ini

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):12
                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:WhXWp:WBc
                                                                                                                  MD5:DFDD2EB77BBB74518BAD98519A857D41
                                                                                                                  SHA1:5F4F91D73EA620CDF0E5AC458E80B71412B1BB9F
                                                                                                                  SHA-256:7655078305CC5B4F62569EF9868E1B04FCC491D33FDAD1F8E4610C038BCBAC8D
                                                                                                                  SHA-512:481CDA97C03294EBAB036F99727828983C8D0E4C137AF05FDEA7FD296D11378904BACCE2D58D44F932A0BF7F2A30A9B44F4CBC05E253F132B1EF641F648C8DF0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:version=23.8

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):52272
                                                                                                                  Entropy (8bit):6.300719339270839
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:5i8fXCGsSVh/2ixXxKFArYCJdshn9xvlOaEpYinAMxCuMr:5FaM2gS1y2F9Ob7HxCr
                                                                                                                  MD5:9467F653980C1C37E4C64811BA27C976
                                                                                                                  SHA1:68130FABBB50EAF5CFE2C355BA13B303DD373FB6
                                                                                                                  SHA-256:821847799A2B7B3A6EC20BA61388AC87707D9C6865BD904A44DE5B033BD2EF29
                                                                                                                  SHA-512:E72B7802256053589D889B2B7E74A2B53F328289A12CC0D4930D66410D00585C67B2C434512473CD2E74C8F2CB7685C2C34FCFC3DBA4A52399532CEB04153597
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................t.....`.................................2...O.......................0(..........@...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................f.......H...........x.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):96816
                                                                                                                  Entropy (8bit):6.1801131806578455
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:hJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwx:hQUm2H5KTfOLgxFJjE50vksVUfPvCI
                                                                                                                  MD5:F1B2303DD7E152BA70F3537EDB2E9638
                                                                                                                  SHA1:7E359D4B9011449DABB7F8236F14851A346B5028
                                                                                                                  SHA-256:8EE8B304339B6F87E79B117F605375AFFFCBABA290A1B41BB6B3C1A40E46767C
                                                                                                                  SHA-512:A4DD48F1AFF528DADF9974ADA1740CE785823FB584F55191D008158FCFB11F9ADAD8EFF992B8FF761058706C1717E28FBC9C337CF39D4EE4FFAA529501CB3188
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................l.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LastSyncDevicesTime.txt

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):19
                                                                                                                  Entropy (8bit):3.1555650133297197
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:hV7XVzF53:D75F53
                                                                                                                  MD5:C9781ACDEF0E20DACC91167D89306D79
                                                                                                                  SHA1:24FFD2880D60A97F528C2EF9DE6C8D926FED4F7E
                                                                                                                  SHA-256:441D2133482EE7E698C4AE7A48D913B43947ACA0815190689B3A647A493A054A
                                                                                                                  SHA-512:AAB411AF4C8149931882C1F5E9536A4C3C31B69E4B23665772A037ADDE79DFFB0C3688BE61C054064B1670B745E9D5515171FD65423EF5770120F83BFACAA51D
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:05/09/2024 11:24:08

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):499760
                                                                                                                  Entropy (8bit):6.056862695710082
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:HXv781Hpx+GfCdLr/jd9yyeEAHweiPofdyz7qd352SW8CdykAfqO:/76BfC5avfdyvc2SN
                                                                                                                  MD5:3CE7E73DB6F575A0D382DDAA8E1A3C10
                                                                                                                  SHA1:031C13652C540CA7F798D141D7C3333FB1C71618
                                                                                                                  SHA-256:692185C37DB7505250E58CC55D6707FCB099315A7FF319A9CC92FD99C5F0EEA7
                                                                                                                  SHA-512:5270E772613864BD223F31F89CFA500E56E7863967C58C503F92E193AF8C8CAF934B7755868EC21585A38E8D6D186A2DC5528A805A62A0BFA56B59E6506BFF81
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,..........." ..0..p............... ........... ....................................`.................................?...O....................x..0(..........t...T............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................s.......H.......(d...(...........................................................{J...*..{K...*V.(L.....}J.....}K...*...0..A........u;.......4.,/(M....{J....{J...oN...,.(O....{K....{K...oP...*.*.*. 8..z )UU.Z(M....{J...oQ...X )UU.Z(O....{K...oR...X*...0..b........r...p......%..{J......%q>....>...-.&.+...>...oS....%..{K......%q?....?...-.&.+...?...oS....(T...*2.(U...oV...*..-.rE..psW...z.(U....oX...oV...*:...(....(Y...*:...(....(Y...*N..{Z....o...+(Y...*z.{[....{Z....{\....s]...(^...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710192
                                                                                                                  Entropy (8bit):5.960733432365752
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:bBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUk:bBjk38WuBcAbwoA/BkjSHXP36RMGt
                                                                                                                  MD5:2A9525F27730CBF9E7145AADE4CDA830
                                                                                                                  SHA1:A6A99E02599656DE1C7F51B02C84BBA8AAE0346D
                                                                                                                  SHA-256:29D0073080509DB7F3F20C47980A1347CC4139C5F2E26C9C160AE67CE5EECB6E
                                                                                                                  SHA-512:DDDEEC7AA9D3F9E6187718564AE1A447FCAB12EC2DCBD26EDD87217B4815C274A6BAF90A027766FCC94815C762ED9BFA8D0DEF6C1B2F84279DED9C66852D381E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ...... .....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):277040
                                                                                                                  Entropy (8bit):6.190626027944278
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:rSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYA:suQlBAMW0BvltxZ6B
                                                                                                                  MD5:4ECF017FD71CC84A4CBAB7507B8634BE
                                                                                                                  SHA1:2343F37490F9A11F5F0878A1553F0FAF504FE062
                                                                                                                  SHA-256:871D9403D045F94FC433907E49B68894764FCAF81E12FBDE2AC7A08642DDA32C
                                                                                                                  SHA-512:5FCB9BDA9C857BA1AD2EC0B19AD109AC54BAC91B8F8F00968560623C8AFD01FAEE1078F7C76010C7526A37C46EE0DB74A0E0DB151186F8FB220105F7091FA69B
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................>.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):149552
                                                                                                                  Entropy (8bit):6.059724018456156
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:o/S+nps5/3oat9QrwQmUgs0giOBDQntBBGBBKBUkBBXBBgBBFBUABU1BB0BBBBgB:o/S+nps5/3f9Qrdd5EtBBGBBKBUkBBXh
                                                                                                                  MD5:2FF31980FD256EF1B1E143D4699BB727
                                                                                                                  SHA1:608A21DA2B243E63DAD9E36EE84BC38C921F8E77
                                                                                                                  SHA-256:F34AD6FB7847A85ADBE1492C783233A8A32BB5E96972FA3738538CE20513F682
                                                                                                                  SHA-512:2FEF83A7668D190297863592FBBC8E766042067138C3A163771CDCF1FB284BC8162EA6B7B958CB076B6AB654216B855324AE292F78931C47EDC33B52376943AD
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.R..........." ..0..............3... ...@....... ...............................5....`..................................2..O....@............... ..0(...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......H....1..................81.......................................0..S........-.r...ps!...zs".....o#.....g...%.. .o$......+......(%...,...o&.....X....i2..o'...*..0...........-.r...ps!...zs".....s(.....~o...%-.&~n.........s)...%.o...(...+o+....+X.o,.....(-...-.r...pr...ps....z..o/...&.o0....3(.o1... ....(2.....(3...,....o&.....o4....o5...-....,..o6.....o0...,.rK..pr...ps....z.o'...*.......F.d.......z.-.r...ps!...z.(7....-. o8...*..0..U........-.r...ps!...zs9........+ ..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):27184
                                                                                                                  Entropy (8bit):6.334370226233819
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:Bn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCw:BnvXYcIh6yFIFBYpc47Hxn
                                                                                                                  MD5:A964D6B5F323E343E884A1E4EBBA21A3
                                                                                                                  SHA1:41FEA32C2FCC56070CF904AB441019F963C83ED5
                                                                                                                  SHA-256:0214D2C78CC1DBE92853305FA12119BBE09EA06B5EB9C4B4E7AD76B6FAF232ED
                                                                                                                  SHA-512:3E93C094D3B9D77BAE9C1725B452743FDFA0A20EB07FFC50EA861C501821710A2C29197CF43DCEC1BF089A5BC9B8F2BF57F9FD0EC8D9805D00E32538D03CD46C
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):73264
                                                                                                                  Entropy (8bit):5.955083228632948
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRX:R7N1r9KGI04CCARLX
                                                                                                                  MD5:FA432B69828C0F175E44B367AF91ED2D
                                                                                                                  SHA1:C0E72D5C64E9B560311EBD1EC3A35CED46386C78
                                                                                                                  SHA-256:6718AFA55EF89805B69360C9E88347A39CC302AB3C16590E78136C20DB025613
                                                                                                                  SHA-512:E0C54D9126C557C24013486A31D5477EFF2B800ADAE472C3103EE1F1CD527546E6DCEFB19D5DCE602AEE6DA7A0290F413CE2C6C09DF28D4333C4E62510FE2064
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):639
                                                                                                                  Entropy (8bit):4.811016582170552
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:DNF5zIytXE7LF5zIy6XEOMrD6LF5n64ECuZDtF5sTQgcF52ZF5hr6cF5GF5nr6cP:DNRtXMRWd+4E3gTQl0NP6LP6ilL
                                                                                                                  MD5:968C5902C17B5B1CC0C623974EE7F9B9
                                                                                                                  SHA1:F9E53ABE726C23BC5F099755AE233353C72ECADC
                                                                                                                  SHA-256:D65A4D1F03DD2964B7F5237B3DAD979204D70E68F7F3C694488BD9C8BE674451
                                                                                                                  SHA-512:E6E1BA3E4C279F289502365962790FA497953FA79F1562733AAB5519FEFE20C095D2F363CDB8B57668C55E3652A3F646D9C61811A3EDAD6E0D5714C5F7BAD408
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:05/09/2024 11:24:05 In Program static constructor, before instantiating _logger05/09/2024 11:24:05 In Program static constructor, after instantiating _logger without using _logger05/09/2024 11:24:06 Starting Main(), logging without using _logger..05/09/2024 11:24:06.200 am: Info: Before PollAll() call written at: 05/09/2024 11:24:06..05/09/2024 11:24:08.919 am: Info: In PollAll() before Poller.PollAll(false) written at: 05/09/2024 11:24:08..05/09/2024 11:24:08.934 am: Info: In PollAll() after Poller.PollAll(false) written at: 05/09/2024 11:24:08..05/09/2024 11:24:08.950 am: Info: After PollAll() call written at: 05/09/2024 11:24:08

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1242459
                                                                                                                  Entropy (8bit):7.999705337724571
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:24576:ZQXvdoybigLPNNmXx5B7u62Axnj/7NAckRq/QO8tf:KoMFLGXxn7t2ARjheh5
                                                                                                                  MD5:DE647C2003B0AF989D2E87782CBDDCD4
                                                                                                                  SHA1:BEDC6201C49E8B26AF38D4A81AF7545ABE4E27CD
                                                                                                                  SHA-256:74732E18B4D2E436952D9BF13AFFB854D570E2E7BD25F5AE6884195A4343A697
                                                                                                                  SHA-512:34438F6376D283B6E5D1D2E60B2A2A8411641E2EB89ACC173D0DB409645FA37D1D67ED47899ADA434E9BEBF054867D8EAEF14BEAFABC116E30A76622D2796A4E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:PK..-......LrX./..........3...AgentPackageMarketplace/AgentPackageMarketplace.exe....0.......FN........U./Ve...j.K.IXm..._f.n....f...;F...d.Z..S;N?..$..~..W...41..9....|..d.....H.>..Q..".[.Jw.....}...l.....j.8....1..1....J>.....,..Sl....W....!.6...bV..P...sb.r..^.fq...Zr.!.>..<....".x..}..O.=|./r.*..4.&rI.6!...V.......N`'Z.....o.....%.G..f...TB.....9....p.b.cv.~... ...^....m.=<.}...Xp..~;.....o(!..V.'....:.j[.G.2.....8;..*F..JD......~...d..:.>n.T.r.l.....s%.......%...>..!C..E.<......C.A.&.F.....e.+lR.}....d...3T.....E....g........'m.M(...H[.....u.WC.,.S3p..=9..z`...\4..3........i.\C..dZ.$....Y.8...*Th."..k......)a.$.....&.2....=f.......NLl.....Sye../. ..I......B.R...!.6.].[(.R6."v.V.`..|...b.$.S..M....6..e...>L.i..<[..W.g<Ty.;/.F..rJS.8A....W.26.H.q..A.4.\.h.....<...M.I.{.%....>..ey../O1...~...]G....S{(_..36e.)......5..j.U..a.....X...Y...u.I.hsU.j<.~0>.R..B..(.-^..0.....M.Cp2.y._...0.u..B.^.j..W....>....d.._.`\/.....FJPu.....rrW.^.....#.A..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):37936
                                                                                                                  Entropy (8bit):6.420777740976457
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:TlK7ivy767zzumHTxUxx/u4sEpYinAMxCczxx:9IS6mHVUTxl7Hxhtx
                                                                                                                  MD5:601E661FD5917647D8932600560E6A27
                                                                                                                  SHA1:C259050D22DDFCCD00434FBDF4660668E45A1D45
                                                                                                                  SHA-256:0F1A1F5C257AA061CAEF7FAA224959F60F8E257A5A56ECD02BB9E8BE25EA093A
                                                                                                                  SHA-512:8A3822FB7A1FA5C08F9FFAA7F3FA91FFF2DB795CA17D259D3C51264434D86325E20E8398D4E3785E143AEE7430A35287112C52A876E163F5AC8FCA414E27FBFB
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0..`............... ........@.. ..............................d.....`.................................]...O....................l..0(...........~..8............................................ ............... ..H............text...._... ...`.................. ..`.rsrc................b..............@..@.reloc...............j..............@..B........................H.......05..|I...........................................................0..H........(......}......}......~D...%-.&~C.....j...s....%.D...(...+}.......}....*.0.._........{....-.r...ps....z.{....o.....i./2.{....r+..pr...p.{....o....(....(....o.............{....o........:...%.. ..o...........i.0..+......{.....o....-2.{....r...pr...p.{....o....(....(....o............{.....o.....o....o .....-.....ws....%.{....o!...o"...%.{....o#...o$...%.o.......E...{....%-.&.+.(....%-.&.+..(...+

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1295
                                                                                                                  Entropy (8bit):5.018953579697613
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:JdArdEtPF7NhOXrRH2/BLVv+13vH2/nVQ7uH2/FV0PH2/+w39y:3Ar+z7O7Rgdp+1/gnSagFsg+w3w
                                                                                                                  MD5:843D2196B96E53ABCAE6F4C243D1A7A6
                                                                                                                  SHA1:EB28441616660FD53653999595A3309961AA9A54
                                                                                                                  SHA-256:175C1EBF4B5C56563944E65C9E8AE4595730155D69854499DB638E82E16DF056
                                                                                                                  SHA-512:2C24DA122963E1BF533FD8A5C841C9BCD86442E0E49D3BE379FBB21AA607FDC6C7D30BA5573615416D55538429652BF1108D88EC8267FDC5D8C8F9ECAF11D0A1
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):11
                                                                                                                  Entropy (8bit):3.459431618637298
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:WhUln:Ws
                                                                                                                  MD5:5652F0418016B3ADE276CAA479E9D5B0
                                                                                                                  SHA1:8385D87585086709BAC2E028432AB505875DD0CF
                                                                                                                  SHA-256:5E29BFF135603676BF4545FBFF476A3C705FE61261F7334BB71C55F9DC8FA095
                                                                                                                  SHA-512:8B9F9606D29895470277D78C78EBB0A9487F012EA9FD92468791E1B33E406E14E9A7DF02391F62475229051E282DCF15A5977132FDF6D2C1769C69E572C3E8B1
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:version=1.4

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):92720
                                                                                                                  Entropy (8bit):6.197723114252408
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:XqIbONGJUSMm8E0/N4El/5qn0k8sSU0R1g7Hxt:XqIV8E0fJ5qn0k8s81gf
                                                                                                                  MD5:9730ABA0BFA904FABD79FB5E3F2083A5
                                                                                                                  SHA1:5D8A6F97D6B729121A7409EF881452E8A8532E74
                                                                                                                  SHA-256:9D3A9CB8F40AE8FECDCDD953C12574DCBF0D1B411ED09875A6E1194D323DF97F
                                                                                                                  SHA-512:0B46876C6C48A7969FB4F548CDAF9927FCA5949F005D75B9DAA3EFE181839963D3BE6CFD34962AB7111BDB577CD0881E80EF494770B66752D4DDE7A2596EB4E8
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*.tc.........." ..0..8...........V... ...`....... ..............................$.....`..................................V..O....`..8............B..0(..........`U............................................... ............... ..H............text....6... ...8.................. ..`.rsrc...8....`.......:..............@..@.reloc...............@..............@..B.................V......H.......$f..<............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tL...r...p((..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):95280
                                                                                                                  Entropy (8bit):5.998458771567579
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:niLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7Hxlv6:2Z0PMcjrgv6
                                                                                                                  MD5:DBCEF7625BA26E5F98BFDB57EBE860F7
                                                                                                                  SHA1:63748B8CA00E8D0E5E6F9EF8079959AB5C776208
                                                                                                                  SHA-256:7F83ED5B26F7BDEC092A468D4CF5F24FD8417EF11D479FD78FEC4CBAC74BC193
                                                                                                                  SHA-512:9902A9A794D30A21681156C54C868B276F6AE294DE2D40FBA9B2448F853452DE15583A9485BACB7600467173DBCD99A1571E62F2E56FEBABBBC812DB03E5A7D7
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ....................................`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):51760
                                                                                                                  Entropy (8bit):6.406771850554805
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:cQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxCH9I:c9MYn1seLE8JFMLcyMH7Hxh
                                                                                                                  MD5:BF0A1971F65A9FE73F8E048BA390710B
                                                                                                                  SHA1:FCE44EC8DD092BA5D76ECDCF7ABC8912AECD7EFB
                                                                                                                  SHA-256:F9A2D469C7FDDFD29DD49B617141F3DFAC3F98F9218198CF639887E72C7A1F82
                                                                                                                  SHA-512:490DD7021B595239A98BFFA409667D864249408355E31A72251EE68700562BC90A03192C3D3C3379224876077758BB78DB337242AFD9F6F0F79E5D03AD0E36CB
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ....................................`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):354352
                                                                                                                  Entropy (8bit):6.153608452030037
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:Hr/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYsn:Hhpp9xxIBeXGfvYsn
                                                                                                                  MD5:4EB845CC376117FBD7456B5116DEF8EB
                                                                                                                  SHA1:CEECAC7E66E327A55E8E8AECA34569C1A98AE618
                                                                                                                  SHA-256:3147327D5B6FDC6213B8082D0A5E469EAAAEB127F9D25F5A54F83A09564F920E
                                                                                                                  SHA-512:CC96AEEB1C90941EF51C9C9BCE8E4A304F33F868CACA1655CD1ABE0F110337DC4B2486F9D57DF493CBCE8B193A44561F03133AC10B2ABFB0CFA221176F8D9206
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ....................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):883760
                                                                                                                  Entropy (8bit):6.071423352723142
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:x1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQK:x1n1p9LdRN39aQZUq3
                                                                                                                  MD5:BC7133B1B43617AAD9B6CC4BABF49E8E
                                                                                                                  SHA1:424AFEC5BBF4523F651A6AD2EB14EF0EF7CB9FA6
                                                                                                                  SHA-256:E3FF7C72FC6AE0F4CF5F2F5463F7C232CCF73A9496A1A8B2E82D793B85DFC39A
                                                                                                                  SHA-512:B73DEB87F0C0155CD98B9F92A4A9FE04381C1F5D98F47E3E6DA085087AFFCD6050850904CA5FA2D770465516A1EFFA3DB88EEA8198B4366E6944A8472E68BB3F
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):702512
                                                                                                                  Entropy (8bit):5.9432161483973
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:Kf9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cH6:YXNL2PVh6B+Bzjmca
                                                                                                                  MD5:F2182E7F039D5A08B27FFD8B12DA12CE
                                                                                                                  SHA1:140F1BE731C0F6C1A2AE221B5E880B37807CA539
                                                                                                                  SHA-256:DE0AF87DF1D85E9D877533899B428147D961F3AD87555A997793AEE2C4EC3D14
                                                                                                                  SHA-512:AF30D9DEFC925A56F963FF1B023A260B851CDE5E1FF57B8213268753E1833C2F3BC7977E97332B2B2ED2D6A20B515A7F562A3DCA4DC960125FB06073F8AEF0B6
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ..............................+.....`.....................................O.......................0(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........z..<&..................<.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{[....3...{Z......(....,...{Z...*..{\.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):285744
                                                                                                                  Entropy (8bit):6.189807833908334
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:hZAWecOmop6I4A9YzsRuBeXirS9/pcRykxxNKKV6S8mSrpsPnga:hZeZ6ANRIru9/pcMkoKV64SrWB
                                                                                                                  MD5:C248CF206D619DCC9DFDE1905C56ABE9
                                                                                                                  SHA1:7E738C393C9C356567FEC91DD5EC9F8D7201107D
                                                                                                                  SHA-256:17437BC5E33AE2D4C02DC19844C3EFED74B8F07EFDFC7E7F21E7B76162AE5C2A
                                                                                                                  SHA-512:6EE09AC010C65D2C02AB25DDDB8530ACE7D5E8342764D4F98DECB94B02C18B593D22322986264327FEE2DDD3F4FDE630F63EBAEBF274D57006549D53FB9D68F1
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O..........." ..0..*...........H... ...`....... ..............................Y.....`..................................H..O....`..L............4..0(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Hd......................LG......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):284208
                                                                                                                  Entropy (8bit):6.117313368373633
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:tZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHW:/go0WPVTXg2
                                                                                                                  MD5:E7F7F8366DAE3FF49DF0A042E766B823
                                                                                                                  SHA1:13163C2D38244CA3043DCEB6E35AA9E35E5460FD
                                                                                                                  SHA-256:28FE2BB6DC8063506A50BD16EA75CAC63FF87D6C94FE8C820EB4C7C070DE0AF3
                                                                                                                  SHA-512:154AE5A8F1EF145609158322EA1ED22A815643D980C82589A708C72471626B2A754EBF5CFD3B017229A32775B581F4476AEB2DC8BD10B6D8CB2842586CD514BF
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):22064
                                                                                                                  Entropy (8bit):6.677875130083087
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:ey/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqh7:euhMaVmzDC67EpYinAMxCr
                                                                                                                  MD5:AD27AA5DF0CCB993A7C533ABC2B12BC5
                                                                                                                  SHA1:601A025FB69A53EA8627AD124BCFC6689E15C3B8
                                                                                                                  SHA-256:C3836ED94362FCEAEA5EB3031CE226E3A2188196B335FC12AF5379754F3BEE6D
                                                                                                                  SHA-512:FD462C30EC56D26829873C7CC437FC9B7B65DF094247486982964F8347D53CA31BC62B6926CCD242BE5C59F11E929F2945C6D15AFA13E46E7DCE68171FD7DAB8
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):51760
                                                                                                                  Entropy (8bit):6.234800508786839
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:fzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWX:fzpjF0/t043e3vggr83jMYa/hU7HxVX
                                                                                                                  MD5:2D33C7F58A38D1EBD9167DDBB846C552
                                                                                                                  SHA1:96A22461836A2D9D0A3D945B1A000B601DD112E2
                                                                                                                  SHA-256:46DAC445CC521BBC4763E09E344CE47E89C9ECFCCF359BAB5E7DDA158798B61D
                                                                                                                  SHA-512:164F50BA58540FDF9DDD0147BF36238FF2A5F4CE5F317C1B0C6C6967DB353537B7744DFDE67F0FCDA14C1671635E1E191D5DDE6FA258054E92247DAECF180580
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ....................................@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):138288
                                                                                                                  Entropy (8bit):6.180026310625973
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:SP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlW:Sh0qjC5RMOHO420kN1p
                                                                                                                  MD5:FA1958277D8991A2CA3DCBEDD326E679
                                                                                                                  SHA1:FF67C65737EA8EB970D58397AD41179DFD7D876D
                                                                                                                  SHA-256:F90DD27CD8064A93700C114BA8479741030E99356FBB120CB03BC341E88EABE4
                                                                                                                  SHA-512:226ED579CCD8D4CB7705A0245926A25226BC054884A55AF6BC8E707A5FA2EBF38E3094F15F309999F3D05695E7B3C9CE5022B5EAAE6E2E5E092BEDB6B9A74B9A
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......E.....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):17968
                                                                                                                  Entropy (8bit):6.67630363450165
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:dh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBw52Z:dy9eEpYinAMxCAUU
                                                                                                                  MD5:C8A500FA8517ED60D8294125640CE6BF
                                                                                                                  SHA1:8D056F18F46ACC3798214CFC46A9A849DB83BF6E
                                                                                                                  SHA-256:72B89634770625E6C891B8336755B6A341C8B5786C3728D9D679B756718A2DD4
                                                                                                                  SHA-512:443CC856D319F519DB75B9359C57F6410821DBC3F57B4C86EC66C18285DAC7BE6FD983653343B43278553B92A7AF07D1911FA5847B8F884EC04BB8BCC8054350
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................+.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):27184
                                                                                                                  Entropy (8bit):6.332745078390322
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:fn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCkwZ:fnvXYcIh6yFIFBYpc47HxlwZ
                                                                                                                  MD5:D62F04C397D229F2661538F299181122
                                                                                                                  SHA1:03EE3CF62888CA5BFD36B042D2E1F90F5741E0EB
                                                                                                                  SHA-256:3F07F423C81340FF2BB705C599BEA8267932EAB8D5F9E2D60BC54798C3FF6CDD
                                                                                                                  SHA-512:C4F91003ED7D13BF4C2E06CB462920C6D3550F76F4D0F63D3070F760A874B3EAF00813BC0871E5E3FED5DAEEB60D1691A1AE93246A0ACCCE518512B8AC3DE56B
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):73264
                                                                                                                  Entropy (8bit):5.955144932150523
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:8784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRJP8:87N1r9KGI04CCARLB8
                                                                                                                  MD5:328BA848ABD9A548F19263D9E43B7361
                                                                                                                  SHA1:DB4D58DEAF5EC79F620EF1AD5BFF9E28F8EB0D7E
                                                                                                                  SHA-256:B282E0543145778A695B875E82908698A38B0C0DCB9F88BAD135823EA69A9D94
                                                                                                                  SHA-512:EC8DDA91192109C5E981E2EF73CB5F7169DBEC36B32221700C8C759883B7FE2176575A39C3CCDF7F4C3F6351560C9E37B884D62154BE6558875F117638533301
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3585011
                                                                                                                  Entropy (8bit):7.9999193745697
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:49152:PifnPfXNZMNdg2I1fVkjUhN0ToFwQGw8tQRSm90p13l95Ogl5xs35F7gzzTaCzZw:PSPfadg2IIj+N0TK7SSKjUglopWD/Py
                                                                                                                  MD5:25EE719E8A32A0C5DFC57A5923FE32F2
                                                                                                                  SHA1:F48E0549F5F05476EB780E78F7840A98B4375193
                                                                                                                  SHA-256:A5CEB8392D19691CFC565D6DE595D829D474B9B095557A55C1D11BA475E82836
                                                                                                                  SHA-512:A7483CDD47E71AE7570AFF30D2EC9E8017DFE5BA6488A8E14B538912A0E3AB286BAF764A13553D30170D874C5F14EA524C5D878131304C74838AA8E0952A2831
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:PK..-......i.X..J.........1...AgentPackageMonitoring/AgentPackageMonitoring.exe....0.......(m......%..Q..a.x....EPwA.}.Qq..I..u4..w.J...^.........p......+.`.......'7...F........r.M.{.Cw......4O..0s.M(N.p.Z.@u..h2......]%......2..8a.9.^oG.......\Ul.......hC(.......nE.......l.c*>y..U..l.a.......z`.q&:..?....{m...H..B...=..6y.y..O........an.f.1yzT...2...jA....3r....R(..w.K...`.8:..y...%...e....%.....s4...G`!....w.'~H.E....6:mo...r..<(}r...TF...^s..`'.*.....~^l..l... ..<|.a..%C....t......#...X*j....7.L@..`=...... ....3WM.......O........F.E............xE.]....i@"....5.nM...,dt"E.Y=;vj+Z.].U.<h...*.0=}c.....S(D..jK.....o.t.1I...p....p....k.M..OPo.L8.......kr.VI.N'..mN..I..7/nl..e......h.{....\.c._.lR.%..3....Pj../...D..@.......%...1.AP..W.>.,..t.bWB.Ko_.9...$.}.#..1T..F..H..UL.....5.a....S..&..de.;=A.u...W...Y..}.A.T@.\.kN2..6h.c.... ....DB.PI......6..$1..$.C.....&...P..B.%.,.H"..D ..hx......h.^.c..&P._..@....../.q....q....}.....6... ..n

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):396336
                                                                                                                  Entropy (8bit):6.250697507262227
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:1fXwAmmWkxZjUCyC6ulqODyu+1QsF9K7SCHp5ZuI5MXd0XjkcdvCtUovOz6E8DnB:1fX7bwG6ulqJZaS5kzdKtUYOzMu2h
                                                                                                                  MD5:B50005A1A62AFA85240D1F65165856EB
                                                                                                                  SHA1:EEC370FA998AFCD06227DCB1BD5E6E2D36073693
                                                                                                                  SHA-256:1867CF4FCB38F7E7FC98DDAD180C26A717360DF688A8EABD9F325FDE3C16F5BD
                                                                                                                  SHA-512:63E664A8C12F27EF4C273330A8CE322CEACF12649C2BF61617ED8E394C43BF2CCAF1C2A14E2CE8807C11CE5EDD653FC7F942D0F4919923B37E1174A67393DBC4
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5..........."...0.................. ........@.. .......................@............`.................................J...O.......(...............0(... ..........8............................................ ............... ..H............text...,.... ...................... ..`.rsrc...(...........................@..@.reloc....... ......................@..B................~.......H........-................................................................{'...*..{(...*..{)...*r.(*.....}'.....}(.....})...*....0..Y........u........L.,G(+....{'....{'...o,...,/(-....{(....{(...o....,.(/....{)....{)...o0...*.*.*....0..K....... bHQ. )UU.Z(+....{'...o1...X )UU.Z(-....{(...o2...X )UU.Z(/....{)...o3...X*..0...........r...p......%..{'......%q.........-.&.+.......o4....%..{(......%q.........-.&.+.......o4....%..{)......%q.........-.&.+.......o4....(5...*..{6...*:.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1459
                                                                                                                  Entropy (8bit):5.033662307409642
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:2dErdGPF7Nv+13vH2/nVhOXrRH2/d9XF7N0PH2/+w39XF7NQ7uH2/F9y:cErU7h+1/gn27Rgdz7Eg+w3z76agFw
                                                                                                                  MD5:C6ECF24757926EBA64E674BFF8B747D1
                                                                                                                  SHA1:3A46083826C20E8E085C42BBFDFEEF4F9E2B90D9
                                                                                                                  SHA-256:C3EC04142C15B0A237E72CE1C3C85D19CD1231B9824F7A9854E7909A74B7BECC
                                                                                                                  SHA-512:EFABB9883ADB098A90115E8938C92B76BBB8D2EB5DE170ECFA205EE949A2D722E0F97F6E01F9A71AC8B5FA2108B9FF82FA0171759D50E30D0AB5FC1948BDCE15
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):12
                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:WhW8:W9
                                                                                                                  MD5:72133F8B7A6B747D14AD3D4BFF8CA002
                                                                                                                  SHA1:476623D1CA063E5F7836DEC97384F79E9DD04786
                                                                                                                  SHA-256:531EFE3FB7CACBC23B12FBEF7B426A3EEF4B4ACA64C20DF7637F4ABD46CF1FC1
                                                                                                                  SHA-512:4292C7513F4843543FDDA960271E060648C7690AB48477FCE27C00220F5216FC813114078E64886AADCDD5FD42AD96DB447856C11FD5954D6B1596B744CD5F2C
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:version=36.9

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):102448
                                                                                                                  Entropy (8bit):6.190419076161021
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:OPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxc:O2bYbYSWd85I5sSakFQhHL8G
                                                                                                                  MD5:F64F56F2E4DFA797D5CB4B1CBA08644C
                                                                                                                  SHA1:3C2DCA64758145239E2AEF45E05CCF6BF9A7FB8D
                                                                                                                  SHA-256:F23BBB31DD11D74343840FF81E37F73FB891DE7E8C6596AEED2C405DBA97CFA0
                                                                                                                  SHA-512:19181FCF32B176E9D24677DF8D740D5226F5A7D044DFB24725645C951F4F7682D9CA521F62E2420C814EF177BD20F0C470B54D1C710713F75ECC7F58F7C30CCA
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ..............................o.....`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):95280
                                                                                                                  Entropy (8bit):5.996740439887868
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:t4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87HxsN:t4auS7S5Ea6WMcpu8I
                                                                                                                  MD5:EF30D465678A904C773B58CC3B1AD66B
                                                                                                                  SHA1:D08C5968C279790EF2D10BF2FFC1F2DE937ED4DD
                                                                                                                  SHA-256:A5FAFA659C8CEC0FF892405939E3BB32269845D4509763ADD219C15E7D2A8710
                                                                                                                  SHA-512:521E64502F81A789DFB6D4FBE545F76DFE32C7998222CE3002DCEBCE5550D60AF6F29C30F9A4B8B888639CAEDB8C718BA34D88BCCA782EF13E8CE3A81ED537BD
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ...............................7....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):75312
                                                                                                                  Entropy (8bit):6.240212933460331
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:Su2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrY1:fF+qo7mDEwj4NXLGcfgruFcg7HxRv
                                                                                                                  MD5:E307CE14EC46071E8D18B6E281A4F955
                                                                                                                  SHA1:2AA8E6FFF7346019682148DCBCEF44F72ECC4982
                                                                                                                  SHA-256:E1E9378C07B6783755D1CB46115A1791651588BD172BD535630C306198D384A9
                                                                                                                  SHA-512:2D7A23FF1D4837FA51E9C93FA0FAC0CE4F5C7744DFED28DD87C75CFF550DA121D0383F488316FF056E60C1068F59A3634E0B09D62065271B1773B73E99C54D4F
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`......9.....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):51760
                                                                                                                  Entropy (8bit):6.407791203959866
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:GQMnMYPWMXMwtKsSdj3xn91SPSvwzE8Kku6P3A+wf+bMEpYinAMxCkU:G9MYPJS/16/E8/3A+++bF7Hx3U
                                                                                                                  MD5:A36553BAC1F9CBF5ECBC13F7BB830E7B
                                                                                                                  SHA1:2BDACF2F0FD7ED5F3E62E4888F0A9034E8882BFE
                                                                                                                  SHA-256:CC527E9A3E527C9907D1AA00564057D070BA9B269B9FB2AD8D0F3DD380CBD3B4
                                                                                                                  SHA-512:9B3CD927725CCA3B2159F91406EF472506348BDB9CF1066386E1DAD1E9C2C4F4A72BF7A936AC9694F259C9F73AFB71B1CC37F9B5C0B1FF3D0259D1B9BD3214B1
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D............." ..0.............b.... ........... ....................................`.....................................O.......4...............0(..........$...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................B.......H.......|E...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):155184
                                                                                                                  Entropy (8bit):6.247738832262604
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:T0feG0EI+t80zE04kjSnY2QJ6lwZaBsEFmWF+Ykt:IP80zukOltwWk
                                                                                                                  MD5:CE4E3B687617A7C94D73539DCD89FA73
                                                                                                                  SHA1:4C6519693D081D9F03503AA5CA3312C41DA3F981
                                                                                                                  SHA-256:DF753760463622BBF573AD25AC4B5184727D1F232FF68A17A1601F39377DBB76
                                                                                                                  SHA-512:FA0C76247E05C1577B767373DA659A4876B3B39DA20D3D0CE8A73779306C66FD3A2A032DCD47D11A79F1A1A2A93E242651F8650934CFB98C10D4E50F111F8F90
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%%.W.........." ..0..............M... ...`....... ....................................@.................................lM..O....`...............6..0(..........4L............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................M......H.......d....G...........................................................0...........u....,..s....*.........*Z.(....u-...%-.&*o....*..{....*..{....*..{....*..{....*..{....*2.(....._...*2.(....._...*..{....*2.(....._...*...}......}......}.......}.......}.......}.......}....*>.........}....*..{....*...0...........o].....o^...(....%-.&+..o_....(....,...(....o`.....(....oa....(.......(b...,...(.......(c...od...+"(.......(b...,..(.......(c...od....(.......(e...,...(.......(f...og.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):215088
                                                                                                                  Entropy (8bit):6.03083318319815
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:m1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sV:5Izm6pOIgvr7s
                                                                                                                  MD5:A58985E020BB24EB28C965043EFBA9F5
                                                                                                                  SHA1:709CB8780E30484A788EF6EADB8B76D30491F66C
                                                                                                                  SHA-256:1AAED0562F7379F1998E50A9C0F8CBCFCFEE65FF2EF3C5DE2ACCD56764418385
                                                                                                                  SHA-512:291CBFB3A468DA06CAA0D02B04CE5109EA3EEBDD1B4B0918D9AE45B7DB9FBEAE6842B35D4C9DF99373CAF54DFBED714577C959BE2C9DD9AA92FE2774860842C8
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................HW....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):354352
                                                                                                                  Entropy (8bit):6.153514122272104
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:+r/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYy:+hpp9xxIBeXGfvYy
                                                                                                                  MD5:B2F1B38E6DFFE1FE761A0865392161ED
                                                                                                                  SHA1:D9196465705125A228494A28D5CE3F3F2C7BDB36
                                                                                                                  SHA-256:8E958FEA067350A1957FC9E4F3052A1B8D28AB95D4E26A072BCEF0794FB8A398
                                                                                                                  SHA-512:6E4B6BB945EF698F4552E229E6CBBB615060722D2D1E8F5877200C37C4EEC8AD683C61DA701CB9A09C79673ECA96AC8CAFC3FDF70BACD2C5507C4F0ED78BC1E1
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ..............................J.....`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):883760
                                                                                                                  Entropy (8bit):6.071481963565208
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:V1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQU:V1n1p9LdRN39aQZUqF
                                                                                                                  MD5:CA515F4F34826F5ED5A8FB7D3259FEFF
                                                                                                                  SHA1:D31158793EBB4E0CBE957158F2E42754CA826A29
                                                                                                                  SHA-256:5042E33133E0422F51382C273153295DF814E5CC2FF2A4FD0D973B4AF54D4933
                                                                                                                  SHA-512:1336E658AE6097598F3508424085AD288AF4B60D4FDB821A10BAC712492652F7BB06F3E53556CCBB7425A63ED48B53D368481D1F142E6B58FF7C4789737A3CFF
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ..............................n.....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710192
                                                                                                                  Entropy (8bit):5.960477572931558
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU/:hBA/ZTvQD0XY0AJBSjRlXP36RMGK
                                                                                                                  MD5:EF06D200D340C9798A006F304119BA82
                                                                                                                  SHA1:C08B838DAC97CD1376D934FB5ECA982BEB19D493
                                                                                                                  SHA-256:88C838B4EEDFF929AFDABA2BA808775B1979C5C9BD7AAED36525CB1A41D8A8FD
                                                                                                                  SHA-512:E67597F90A504A1B7C6AE838C8F82BF9928D49B22E896592623E9473147F8C05B974E86567E40D93D9C59602843A532034ACF5BAD2EAD78962AC2435A63E80A7
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......K....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):293424
                                                                                                                  Entropy (8bit):6.121578040837099
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:vdmT7N9hXNx16L/kakZieD2C6gVkRYKn6nUa9K+yt:vdc7N/WkQHr64t
                                                                                                                  MD5:C329213E3BAAC31E55B7E57C9B5692C1
                                                                                                                  SHA1:C858EFBB991254A929A0D7BCB1087628501E6DC7
                                                                                                                  SHA-256:38C66E322E92172722E36001F2C9E6151655CFFDA8D78BA730B1878FAD793FF6
                                                                                                                  SHA-512:C86F49F789B40E4EEC295CB652CFC63FD5C87E51029AF975AFEFA86C57BB6A9E52DAD54993FB7186ECE73BA905EF43C50E11B85F221EBC59698D8E1845FA90BC
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.d.........." ..0..H..........rb... ........... ..............................`.....`................................. b..O.......$............R..0(........................................................... ............... ..H............text....F... ...H.................. ..`.rsrc...$............J..............@..@.reloc...............P..............@..B................Tb......H.......\....V...........................................................0...........(......o......e...%.r...p.s....}......}......}.......}......{......e...%.r...p.s....o....r...po.... ....(.....|....(....-.."....}......{......e...%.r!..p.s....o........(....(....o.....(......(....-...}....*..}....*..{....*..{....*..0..a........{......W..}.....{....,..{.....o.....{.....{......e...%.r!..p.s....o.....{.......(....(....o....*..{....*....0..Z........{......P..}.....{....,..{.....o

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):277040
                                                                                                                  Entropy (8bit):6.190744437011799
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:qSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYE:luQlBAMW0BvltxZ6h
                                                                                                                  MD5:D6F46A4CB8CEB824CD1763B62B8F71A8
                                                                                                                  SHA1:9FA3A8318D93CBDA86D2843B0783CDF0E7B28D92
                                                                                                                  SHA-256:66386C99B4BCF568C95E93B11E5E89FC78556924C5BDAC9644BCCA7B04291542
                                                                                                                  SHA-512:4B720C78E8B3316EAE4FD0BE2499173246AAD3896ED7AF76124A8E565977C27197C73D61474ABA34264F18D5C4BCAF1B51070484CE093814E3CA6C2804AE419F
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................f.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):284208
                                                                                                                  Entropy (8bit):6.117480150640407
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:PZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHNS:Rgo0WPVTXgg
                                                                                                                  MD5:74DD74986D9708CFA8F4B4F0D005B604
                                                                                                                  SHA1:55C85D2BD0ACD3E14ADF6D442670BC7F3DBBB803
                                                                                                                  SHA-256:7100B1A666B0AA99EE5036E23ACC1BA3CFF2E7B2C73A2EA72F5359374648349E
                                                                                                                  SHA-512:6CA3A9F1D10B4C492ED4902631C38F81001BDF256014148A7628166BF1932BBBC9DDA570A295C99F918818EFBA28C82D1E33C1532A2EA8163027C14351CC4ED3
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................0....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):22064
                                                                                                                  Entropy (8bit):6.679229646565206
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:3y/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqUeaT:3uhMaVmzDC67EpYinAMxCuT
                                                                                                                  MD5:A4EFAE23A302EE53F0A81FF5B3523292
                                                                                                                  SHA1:EBB0ADFB9771F4CD61A1D0A9CDFE16CE5621A304
                                                                                                                  SHA-256:D1D0C53044B2BF85F5B19CAF709BEFFCED51397AE94C37F14EB94E915C6446DE
                                                                                                                  SHA-512:E77C1CEB40F69342C742AACB07016EA6ED5AFB36949E00E85663EA15996C62E019959FDD44E9E0D468C91DBD89CC8EDE10CCC9F242DB7D6C87D2A6E24E6691FE
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................3....@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):409136
                                                                                                                  Entropy (8bit):6.098144476210718
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:qPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc1j:06heZBJm333M89QAy
                                                                                                                  MD5:D03824AAFFA4923C80E6D8B716D8430E
                                                                                                                  SHA1:06CE0C7BAFB16D3E92B35444467DB7DE0A6C7C84
                                                                                                                  SHA-256:7782C0F86CE42101799CA9828FABA1798230734D17990637040DCF15F3617644
                                                                                                                  SHA-512:59A04EFE8423402F57896ED8D70419ADDF52309024606B35E485E051D21076261098DCBE5F7AA7CE5F8BFC93BE992E94A1AE07102F810B9B1E020529C52475E2
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.c...........!.................+... ...@....... ..............................SO....`.................................H+..S....@..p...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H...........tM..........PM..J...P .......................................6K/.%.L....7.......2.x..`..P.k:k.......0\W.j...;..xX.~..HB..S@.$.m...)4..<S1...C.Y......#ku.k&..2<..i{..>....U...s.'{:.(......}....*..{....*:.(......}....*..{....*r.(......}......}......}....*..0..5........-..*~.....o.....X...v....~.......o......o .........*6..(....(....*"..(....*.0..T........~!...("...-..-.~#...*../....+...X....($...-..-.~#...*..v........(%...~.......o&...*Z.~....2..~.........

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):51760
                                                                                                                  Entropy (8bit):6.2347643754291555
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:Yzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWZ:YzpjF0/t043e3vggr83jMYa/hU7HxVZ
                                                                                                                  MD5:520478C4C71D99D43989786250EB4763
                                                                                                                  SHA1:748AB4CFCCDB28B46E8226115C88681F72C033FE
                                                                                                                  SHA-256:9708914775950619C1F13B1871CAA6FA7874891985E249F82AC60862C68746A4
                                                                                                                  SHA-512:1C851D77617A8059491A1F02F81A27F8AE19CCF6EF925F63301F2C20B190BD35CFD60858121F7BA57301684A4685C87F25089040A67D1EB421A4B82AE8403B03
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................e.....@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):138288
                                                                                                                  Entropy (8bit):6.179821808998386
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:+P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlY:+h0qjC5RMOHO420kN1j
                                                                                                                  MD5:684D6E74002F9691D8CBCB135B6717E2
                                                                                                                  SHA1:9FC0F5E7AF66ACD2BB0316BF28E9CC0201037EE4
                                                                                                                  SHA-256:B6AD62636F7224EE73ED95D2E14EB089C34D40BFD2BE21A4C9B02D34CF3FA3E3
                                                                                                                  SHA-512:76710039C919E70A551E7768C230732F71A069DA34B8BDB7B9D2B853FA9001F3D37952A90E47373F53C8D323E9CAF6726F319FEBA632C2E98F5E06716B1C8EDF
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`.......M....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):17968
                                                                                                                  Entropy (8bit):6.673219933457599
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:Rh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBAj3IR:Ry9eEpYinAMxCAcW
                                                                                                                  MD5:ACFCB0A7B3FD1002A8FCD0FD5D65F734
                                                                                                                  SHA1:8507B9A8EE31430F75678470F5FA06337A76A5E5
                                                                                                                  SHA-256:98A4333A188E2E88F115C5F8DDADFBED3924900C1071E3226FA5B16E22FFBCB8
                                                                                                                  SHA-512:29301D054651817479EDD71E80BA4FB2E3CA449A70D7720017DAA3CF6EA2B1390E56EF763C9C9A97D099A0464439923F48D99AB0EFE2FB8B3308BDFBA7708E9A
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................[....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):27184
                                                                                                                  Entropy (8bit):6.334413974319615
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:Sn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCW4:SnvXYcIh6yFIFBYpc47HxN4
                                                                                                                  MD5:0362AEF9DA024E41795F98D8B888E955
                                                                                                                  SHA1:53FC9E81D01A7C97D57B9E9ED9A3872EF1E81F74
                                                                                                                  SHA-256:FC5600A53DD80910B63651E9C5B3B0CA82AA5C53529F4AA0964D21BDC4C64F3A
                                                                                                                  SHA-512:F65C8EAB66C5C088FB85F16914D18ACB0E2B9B201BD37C5D30B8B0FD2DE2D0AD48C74912C4293ABF611A6A64FD76B3B9B61502993C9EA680723B22A3ED88A612
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):73264
                                                                                                                  Entropy (8bit):5.95553243429679
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRv:R7N1r9KGI04CCARLv
                                                                                                                  MD5:F25FC027F62B2075901A6677EF81DC17
                                                                                                                  SHA1:A7DAC5819431ACFFF9E91BCE7C6371B2A00507C5
                                                                                                                  SHA-256:39CA7203DE9D6D026F5F1E27F00A5CA28133C0494E6F2E3ED55DD2F4F0893238
                                                                                                                  SHA-512:2E51930198A5DA863A4B718A3772E88532EAE7C0E2C432618B3306F40AB141B6E7435246FE578AB7CABBA4A6BFC674F690484A27793965A6FBEB542F66BFBB40
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`......C.....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 12, database pages 12, cookie 0xb, schema 4, UTF-8, version-valid-for 12
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):49152
                                                                                                                  Entropy (8bit):0.9020553226309421
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:2u5C4OoNSN1eN+5Nm2ZDzWL8OO7QzyO+p:D5PsveM5Ztzy8OO7QzyO+p
                                                                                                                  MD5:2CDC13FD2D52ED9E84D5D05923186DC0
                                                                                                                  SHA1:D62872F38756BA1F43D431263A545230980B2CCD
                                                                                                                  SHA-256:FC530DE8F35F97502FE3E7A1A46DD0273879153BCF6DA7EE78828157EA6342A6
                                                                                                                  SHA-512:A7D2739B50EAFAC40165DF72AB1C877C3924FB9E76C7A7D4128C8CB23623C0E8996EBABA5D5CDAFCE57894009880BC3A439E57BAFD8579F815EAA39AB5CC7FD9
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:SQLite format 3......@ ..........................................................................c..............Z...?.j...I.:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                  File Type:SQLite Rollback Journal
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):12824
                                                                                                                  Entropy (8bit):1.3835650083658935
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:7MzqcFu5C4OZUlFJNGdNGveXXQXN+5NG1ZkG:7y/u5C4OoNSN1eN+5NmkG
                                                                                                                  MD5:36258B6EAC030DC49676F42A4E90E3E5
                                                                                                                  SHA1:67B5101853F6D686E8D06FD7A8408CE234CD396E
                                                                                                                  SHA-256:BF8A0D8641BDD35A9CFAEA3ABFC46D8F0A4912EE7D3D81ED4D299ECC51EA8F76
                                                                                                                  SHA-512:E8DFA5C9CCC0595B04F75C053AA6814A0F9011C15595E6F12F79E027DCC994AD5B0151793E6F810D5913263AFAD8A99E6520EB6286251409986F576F27D8756C
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.... .c........y........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1799216
                                                                                                                  Entropy (8bit):6.5204766374461345
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:JuvfmOhyS2RuhV0yGzcuHpRs8ulCfUk+qKuMhUwqPevJ8QNYfjmqBBLbNFEohFYm:oHmUMohVWpu8ul0UkTgNCfyo3d
                                                                                                                  MD5:D066C090D3416A1D082902E0A7EADD06
                                                                                                                  SHA1:57B66D2450BC314003510657A6309F9921081EF5
                                                                                                                  SHA-256:820867ABD8E1D48A769C6D8F8D8626CB2D9E492D71ABFB47F4BE7BEDEAB93C6E
                                                                                                                  SHA-512:F0839808A716ABCF4BB392E4BB1B2D664D004FA519048C94FBA9623481DA87FE023DF94619A184E0F7F91DD02F63BB8FAC1013D09894F000661F438EE631C4C0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g...g...g.>.....g.>...B.g.>.....g.3.....g......g...f.^.g../....g......g......g......g.Rich..g.................PE..d.....c.........." .................n...............................................P....`.........................................`t.......e..x....`.......@..`....L..0(...p.........8...........................@...p...............`............................text...$........................... ..`.rdata..............................@..@.data...0........z..................@....pdata..`....@......................@..@.rsrc........`......................@..@.reloc...,...p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):1475632
                                                                                                                  Entropy (8bit):6.7918990024107115
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:BS3uuk58wXpQous2GCzbHwGTzsIDQAKub0MBsIFBm5fi/5ATA9NTTPjXWJD8q6:gdwXpQdNVNDQubXyi60jXTW98q6
                                                                                                                  MD5:E0C12F374C3CEDEED79A92B5279F838B
                                                                                                                  SHA1:0FC4F192B32E9FC6C9FF24B9CB3129CDD925C845
                                                                                                                  SHA-256:44FCAED823205977E5C1F6654C66EB9F51351F10B572CE6E914F4866B6D7B433
                                                                                                                  SHA-512:AF965E825DC88BDBE35B9E7FC4A3FE360E9DE7751EE074E899BBAEF00FAD5158BB9E7A023D5FB79F0562BA4A30648A15C6B4AF363239B82FFC0F72C12BFB1095
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.rG^.!G^.!G^.!.._!d^.!..]!.^.!..^!.^.!.))!O^.!Y..!D^.!G^.!.^.!d.B!F^.!!.Z!F^.!!.Y!F^.!!.\!F^.!RichG^.!................PE..L...r.c...........!.........*.......:.......@......................................_.....@.........................0B..:....5..x....................\..0(.........pB..8............................1..@............@..0............................text...p-.......................... ..`.rdata..j....@.......2..............@..@.data...tt...`...T...N..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2899637
                                                                                                                  Entropy (8bit):7.998716668580002
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:49152:CoZg4oOIjiPA+5uIH3EQVlhRBDhGBJhL3Ra1H1GzEE2q1qT7AJpvG/vlm3enDL:3ZPvM2A+oIH7lhnAgKV1qHCNGHVL
                                                                                                                  MD5:19873920E6979231111E46DD7499F174
                                                                                                                  SHA1:02141EDAB9CB1332950818E4F70ADF5AF4A8885B
                                                                                                                  SHA-256:5E63ECA0E9B28EDF89B1243CBE91D0581EC54312F9CEFE24F2D503CDDE53BFFC
                                                                                                                  SHA-512:76F7EF080D0FEFE0495AD97CC98E83DAEE63EBA76DE5440491DCAA388C8EBE3098BABFE6293BAE4C18BDAED981F2DA3D79C66258820C206E554DA882CB3917E4
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:PK..-.....1L.Y............6...AgentPackageOsUpdates/AgentPackageOsUpdates.Common.dll....0r.......>......v.....PS{.}.....An..fm./7g.+b..>..G\..f.q..n.2.C.\"2;.b.q.j.Z..$.Bj:6...Q^.{.-1.n..hn........W.KkRK7.%.....jq..xY1X...W+..M...!..)..9.s$y1.../..T]...`....$7. ..%..Oe`=pr.=9..0..j.m.h.Dx..<.V;rAQ..8k..(......9.T..e.k..Q.......:S.a...u..U.....28...C?QW.3.T'...........qT1..;....^.w..u.T..7.Xe....4.)7....h...^).=4.^Z..T2.E~%.4...H...].kEc..O.OH.>c.r....4.Q[(+.:%../....n.h.#.~8cE.+b.j.B_....gQ......i....i.........4....Z.l..S..].....,..+.$<*.%..q&..SM.....M.;;..].F...JT...z..1..U..s.xC0s.GL..8.C...@.|.^_....U....9...V|W6.....O...N..r...../..$:...=....p.,.k0;.{...Dh..K....?Z'. .......-....aj . Cu..t..[.8~.@....]{........}.uj.[....E2S~..j.m...F...}.s.F...M.;...`...>...6!...H.,%...pg;.K#...$.].%?4../Du...jf.Z_..b.-Ok...wo......b{....;..T.d....2htU..........W-.zo.Zv.........m...&0..3...N.ZY:B...sI.~..C.2......./...&...a..9|.S}...\.vO+.me~.i."..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):29232
                                                                                                                  Entropy (8bit):6.342923752111313
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:MpYIrBWGYPHEUePsnhkgGIW7W8feKWDpQNbo1JNyb8E9VF6IYinAM+oCMTW+:yTrBL3Ue0FSTuKbo1NEpYinAMxCcR
                                                                                                                  MD5:C2C3FE6C498B463D94DAA3A28988E265
                                                                                                                  SHA1:469BA50E5895BE09AD12732F71C5FE104DF945F3
                                                                                                                  SHA-256:B6210743704B553FE69AECDBB0647853420F759FAA6EA7C66875D38656B774F5
                                                                                                                  SHA-512:B00774DFE64BA90CC4216A0673A8E60CFF4FB5F46CDF142100DA8132956E8758369C185A747D0279B8AD2ABB8B69D6A10C5E2BCC3B65F5BD3077C025D32349AF
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*;............" ..0..@...........^... ...`....... ....................................`.................................9^..O....`...............J..0(...........]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................m^......H........*...2..........................................................:.(......}....*..0..X.........(.......o......-.....>....o......2.,..o......,..o.......{....r...p...(....o..........*.(.......$..........&...........88.......0..M.........(......-.(...+..8.o....../.,..o.......{....r{..p.......(....o....(...+....*.......................&&.%.....0..].......~......o......-.~.....o..........o.....o........{....r...p......%...%...%...%...( ...o......*....................0..O...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1919
                                                                                                                  Entropy (8bit):4.980638040615789
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:327h+1/gYo27RgdSagFsg+w3jdgDSg+CagFw:K4cw9n
                                                                                                                  MD5:70934BFD2D7659E71CA6A5476C0EB675
                                                                                                                  SHA1:9B1611D52D3B15A3EF0A5DB4FDBEF94BBD107379
                                                                                                                  SHA-256:24FECC645D7EF3A69CF81AD72DFC95CDFC4BB313FCCF77864C9A47C69B5DD928
                                                                                                                  SHA-512:0FA54C94D4A52A95F4A002062CB858222EA64D4FD8E8EF51725A440CCE9F64514DE12DFD60C41435B3B8DBA4AB80363984FD8E8350B5A9B0B75EB90044F14324
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):197680
                                                                                                                  Entropy (8bit):5.747369761062569
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:Y0zLj1bBKlndsFAQ1DSA8MT2tlwgVrPd+iqiTj+C+5Vw:NPjOlaFAESAewkLUiqiTjrl
                                                                                                                  MD5:C0C8815ACF3A7BD323512DFEA1B0ABF0
                                                                                                                  SHA1:31C42681964BA6E24578105B30C3A3947641C669
                                                                                                                  SHA-256:FB33C644CB11C8A0522E7ECEC9C529EABDC1080D68BD3C21A6EEB3F6FE2FC425
                                                                                                                  SHA-512:47BEAA98DF6CF7403E9BCE455964B5C378D303B959B17253104344FC48E14A09AD5889B20D4AAC06C4C1C57F42F5B826E0B71C10F1825FBFFFEEB81D36D247FC
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ........@.. .......................@............`.....................................O.......4...............0(... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B........................H.........................................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. K.. )UU.Z(.....{....o ...X )UU.Z(.....{....o!...X*...0..b........r...p......%..{.......%q.........-.&.+.......o"....%..{.......%q.........-.&.+.......o"....(#...*..{$...*..{%...*..{&...*..{'...*..{(...*..{)...*..(......}$.....}%.....}&......}'......}(......})...*..0...........u.......;..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1782
                                                                                                                  Entropy (8bit):5.026919218581437
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:3rrb7h+1/gYoSagFsg+w327RgdSg+CjdgDt:7rn44woR
                                                                                                                  MD5:F0A8DACF41AED1B1084D1D5157DE3C8D
                                                                                                                  SHA1:02D4EE2B81AF8E9626571EFDA122849B804CE29D
                                                                                                                  SHA-256:09C69F2CCC14AD72805AB1360DB7D5AB486D99C5E55DC8B5F54695988811FF80
                                                                                                                  SHA-512:A6F1E6BA01179DC9AFBFE04887C288142FEA9BD9A593E54977C7F050A0B0EEA96D26EBE3792038EAD56467AEBD325CF7904F3D2B4206B3FE40FB468437A6C4E0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <depe

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.ini

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):12
                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:WhU6n:Wtn
                                                                                                                  MD5:9EB224135E992B09B71F35DA23490EDB
                                                                                                                  SHA1:BA28FC16AE867AEADF9393E19827ABD3F6FED830
                                                                                                                  SHA-256:50418B438425C5F8EACCF5FED9838ABA88ACE6E02CFE7A5F739C960C44E03D30
                                                                                                                  SHA-512:DB6DFAF4D20AACA9AF2AEA90675F5CE56E6AEE5307682337B7ECCB3D4C3E54EBBF363C3082271A8C2E5EFF9B20CDD08C2B382ECA59789053AF7070B06EABF646
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:version=19.4

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):99376
                                                                                                                  Entropy (8bit):6.18884582497966
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:RlAttsLnppOphwrfNIkZP0kLv+ghDBzmItlVYlkL5ihaO40QhflQCxhB7Hxi:RoESpOPptPkW5ihaOdQhfhBk
                                                                                                                  MD5:C83B1F5268442EE112B7C5E3ED017976
                                                                                                                  SHA1:37641A871CC7661EA4106C750B75168F469E08CE
                                                                                                                  SHA-256:A1AD7CA55FAA12FD3F6066DBE283D1CFAE329168F8E6054060CE45DDB28F6F7D
                                                                                                                  SHA-512:D763AF85DB80D1CC099ACAA5B36A0269C1F55F5890D6ACA47D6BF315847FF2C07AADCC89CC75DFC19793780963F99A5E1B398FBBA26392C71E9B8D3E0DDE1FE1
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}KMe.........." ..0..R...........q... ........... ...............................'....`.................................<q..O.......D............\..0(...........p............................................... ............... ..H............text....Q... ...R.................. ..`.rsrc...D............T..............@..@.reloc...............Z..............@..B................pq......H........o...............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):95280
                                                                                                                  Entropy (8bit):5.996567781993223
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:Y4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87Hxsd:Y4auS7S5Ea6WMcpu88
                                                                                                                  MD5:9551AEC9EC60C8E51BC17373A6EDF42F
                                                                                                                  SHA1:0A130A64216EEF14D9D9EC493526497EB6DE8115
                                                                                                                  SHA-256:C191D85B761AF9E439D98D74E8132755D2C585BB82D0D912BF653580DA63F4F9
                                                                                                                  SHA-512:C08E5A51D9E81170C6C9D16752AD91F7F722206CD964A4FC1D970828042CADD97949636B8A283FE0DE5972A8EACCA3AA43D1BCDAB2167D09D3AFC8A2A912A614
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ...............................I....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16432
                                                                                                                  Entropy (8bit):6.655973367080629
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:+Xh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl5fcbA:+Xh+tYmNyb8E9VF6IYinAM+oCaFfcs
                                                                                                                  MD5:4F8732210B0E83C718F6A9D65EF6F7D4
                                                                                                                  SHA1:B93A5E21E847E86CC2F8E0CB4075BE40D268C980
                                                                                                                  SHA-256:9E174654BB26A7E4F584B02391093AE2DAEFC0700391FF1953A85681CA6B0D36
                                                                                                                  SHA-512:2F54F1DA2ED92E894CCB7AB74AD65DB1C5BC6F3E435D7F6CB7488030EE156F11585733A7CD610BB82A421955F8310651A629FF983DC4248E0E0600311116D470
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):75312
                                                                                                                  Entropy (8bit):6.2404926502583145
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:9u2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYd:cF+qo7mDEwj4NXLGcfgruFcg7HxR/
                                                                                                                  MD5:AFFA88B8F4AAF5C4DF70AE9970CCF151
                                                                                                                  SHA1:C059B1773818C6CDFE832DF00C88935D622D202D
                                                                                                                  SHA-256:6F7248580551DB8F0CF185EC410F31267938C9A258AE4DBF6B257C1E5A6C84A1
                                                                                                                  SHA-512:8FB0E096890594B6D146EFA1CFC72D412B4877C72155C61A19240D1DE171E16023C53C16A25F9BD7092409F08533C641AE17BDC770A437B36C4EA00FF272EDAC
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):51760
                                                                                                                  Entropy (8bit):6.409108893671757
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:pQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxCR:p9MYn1seLE8JFMLcyMH7Hx+
                                                                                                                  MD5:A98104308B1333FD329742F6EF90CD46
                                                                                                                  SHA1:D086C1B80D611EA3C086B6B7E55989FECEECE053
                                                                                                                  SHA-256:B94C520983BE6749E504B4AF7BA32A7EBF62BAE1D2A545961089871B0021A190
                                                                                                                  SHA-512:7009FCB089DC756D33121C0E9BD6519469989DF79776457E31F0C913B3885B91C62BC7BB5C5C526D8B3E100671C39636E159CA24A5C1EAE911D730B04741D1B3
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ..............................1K....`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):145456
                                                                                                                  Entropy (8bit):6.203831545567015
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:cRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIh5:w9XeDmzV2yzlhKLFU1lLVp1+2flYFss
                                                                                                                  MD5:4DBE240649359167D2A3D1609B00B55F
                                                                                                                  SHA1:07083C6B9A7BAC81EF6FF247969EA985B3C54EC7
                                                                                                                  SHA-256:9B35B27D8ACFB6FA7F58586681C76FB65C57FC8589F3C87D502F84D788302E42
                                                                                                                  SHA-512:DF43343EC70B90A80813CD47A7237A8054D7095F64757CBD579F91ED19B06931B93A13BE77140FD7C69B7620EAF88BB633CD38FE0112B1F95631101773ABB5C0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ...............................J....`.................................#$..O....@..|...............0(...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):96304
                                                                                                                  Entropy (8bit):5.633639288713223
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:+2kKfq2RQuKDMOoytxL2L4zP+YuqL2zL7SAaDx4lbOw6OhL7HxxJ8:bQmyxL2L4D+YZL2X7SAaqywjhLN8
                                                                                                                  MD5:BC1FA9EAFDB74D46CD404C564C3395F7
                                                                                                                  SHA1:AA153976794C77F741AC9954A043532069800909
                                                                                                                  SHA-256:ED4821858F406A49C18C4199B4CB1930D39647186939989A9D721C03BD976F1A
                                                                                                                  SHA-512:03F2BF0A5F449706CBA9DA340574CED981C70297A02D7ACD4314E2F4AF07EA4D2D72545175E6104E39BAF6DBFD200A0646D025901E6D34E534DF92EB3997C004
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W...........!..... ... .......7... ...@....@.. ...............................'....@.................................47..W....@..p............P..0(...`....................................................... ............... ..H............text........ ... .................. ..`.rsrc...p....@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):308272
                                                                                                                  Entropy (8bit):6.107431907158925
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:3Q8wCKFMjHq9bRwkpHNddKmTtYZo4smxTC3LnXNXa35/ZmvYN:3FKFMFySZIBHvYN
                                                                                                                  MD5:99C05DBA4F5671C63D6EF255BE907817
                                                                                                                  SHA1:4B911454F2AEA144478819E45EEBF6C596B5EF42
                                                                                                                  SHA-256:00AEE5E4E7181891BF4C364CF349260AC230602E7DDB8F9A68D2529CD18C4748
                                                                                                                  SHA-512:D2D9AB6BA2B6058922DDD094AB3E20027C4932B76C6C0E1B9288EAEF64E6A253DF6AB3EB3EEF714ED87087180AA3FE845E0F64B11EA0CF9DE4F77B7BC30B9671
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\Q..........." ..0.................. ........... ...............................`....`.....................................O.......................0(.............8............................................ ............... ..H............text...@.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H..............................\.........................................{+...*..{,...*..{-...*..{....*..(/.....}+.....},.....}-......}....*....0..k........u......,_(0....{+....{+...o1...,G(2....{,....{,...o3...,/(4....{-....{-...o5...,.(6....{.....{....o7...*.*..0..b....... ...u )UU.Z(0....{+...o8...X )UU.Z(2....{,...o9...X )UU.Z(4....{-...o:...X )UU.Z(6....{....o;...X*...0...........r...p......%..{+....................-.q.............-.&.+.......o<....%..{,................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.838236316522756
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:/N9VWhX3WZNyb8E9VF6IYinAM+oCF5W40I2:1G8EpYinAMxCa/
                                                                                                                  MD5:6DE9E32CF82BDFEF0961FB2D34652E0E
                                                                                                                  SHA1:594F28EC0E264E8FDB9AD5F7DB0E39B09CA829E8
                                                                                                                  SHA-256:D6062AAF76E078197C74E6568B1247DE0959DD3474F4AEAD6657C5AB0A818EF3
                                                                                                                  SHA-512:2899A6452AE9FDDDECA907591B012FC1BDF8C65454E368FF2F08D586BE576EDB6D96D86D5B2642D6FDD14B2AB67EC54CF7372E85D88850BF8BC9358DE99CD271
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ...............................t....@.................................T(..O....@..0...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):331824
                                                                                                                  Entropy (8bit):6.168781225160191
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:7BhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTd:7DMUWITZznu85k8Wdn8KmCjIFi3Vvh
                                                                                                                  MD5:80E678BFDD93E7DFE9A707111313D825
                                                                                                                  SHA1:16EB28DB750AF24E54335C85EB127B9CBA57FE4D
                                                                                                                  SHA-256:1C1BA40B2891BA5CFB8D3F5638D4BA958691487CE0F439E976774DE03A81D7E8
                                                                                                                  SHA-512:DA12462EF675095861616C1E106AA908537016357461049C8BAFEC8390AFD715D40D51710308281F20CB54101600BDAAB43DF8CBA81282487B9AFB2CC5E66B78
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@......kZ....@.....................................O.......................0(... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):883760
                                                                                                                  Entropy (8bit):6.071467644933958
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:J1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQ9:J1n1p9LdRN39aQZUqk
                                                                                                                  MD5:D6850025902001E49D91F1D1B1E4C4D0
                                                                                                                  SHA1:A0DD75E918BFCA1B171CE63F3C3B484FB35ACD99
                                                                                                                  SHA-256:7BC658E0A3DF8C016D4CBB3E28CBD64FF0D4FD9F6F681B32A32460ABD347F86B
                                                                                                                  SHA-512:0FAC50A006FFD586E86821BBD7B17C602C1EBF9CDB8A0BFF88078836258D1E30364779B92F0A7F1F908E92D66B34EBE95422630F967FE28642798851580EB6C6
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................2....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710192
                                                                                                                  Entropy (8bit):5.96040287359365
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:sBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUcO:sBA/ZTvQD0XY0AJBSjRlXP36RMGLO
                                                                                                                  MD5:EC8D314B1652E46AFBAEBF3AB238CFBB
                                                                                                                  SHA1:898A5BA8E6A1DDCAE0470AF5694FD5111AEFC2A3
                                                                                                                  SHA-256:4A292A2ECF89A630AAD219C32C94540033B5C730B59CFC9304C351BAF48A7DF3
                                                                                                                  SHA-512:5538C9BA7183CDD88F7C1CB10185DDC5C61B3EF84F4EC66E2C5D44753EB969BADAB370959F65A3B6E1B7396D2BAC08BD3D3E2B020AE36469EBD49B50D3CF0469
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......E.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):285744
                                                                                                                  Entropy (8bit):6.184647880138468
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:kZAWDkTmokB1QI3A5XeedC1OcQykFlE1WhOMiSdNrgClZ73HpsP+zq:kZU0BJwuOcrl1w7HX3HWv
                                                                                                                  MD5:3BC563BD709528CD61D8F504A3CF8423
                                                                                                                  SHA1:473AE87186633FC687D6D91645E9FE6481311671
                                                                                                                  SHA-256:465C1AE509E2AF00389B645FBB75FEEE7365FC17624D2E9237E6861B8BB30AB1
                                                                                                                  SHA-512:902ED07ABBBDEA26C48D8886F5754AD76D68D5177C80B92A326F87A193A7C9F541176E001C624EE284B8E8A2A664CE13321338DAC392D21847646FEF50766021
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..*..........&H... ...`....... ..............................E.....`..................................G..O....`..L............4..0(...........G..T............................................ ............... ..H............text...,(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H....... d..t....................F......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):25648
                                                                                                                  Entropy (8bit):6.5620339191415304
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:MLAQk7qYbU6fX7pLk5LHAxOEaGdzBSINyb8E9VF6IYinAM+oCcS4jDf1:XRLOgbzBSgEpYinAMxCR4j5
                                                                                                                  MD5:4B3BEAFA0EE0C0C857E5D3CAA0785C5F
                                                                                                                  SHA1:EC697AB6E0956374F234A39EEA6F83EB04EEAE4A
                                                                                                                  SHA-256:EB93BE98B146199BC0E097D1B0EE0B5E89DE7B3CB77845DD0EC0A404D79E3D01
                                                                                                                  SHA-512:05498E50AC2B3724AC81C6F834EEB181F3B3706A8377BF6243CB747A344E7D3BE298754874DE4EB041869B4C8B2AA2CDFC8AC36F487644D4EF246BADD644D6E0
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u............."...0..2...........Q... ...`....@.. ....................................`..................................Q..O....`...............<..0(...........P..8............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H........*...&...........................................................0..:.......~....s....(.....(.~....r...p.o....r...p.o....(....o......*.............(......(....*.s.........*.0...........(.....(....o....r...p(....}......}.....s....}......{....s....}......{....s....}......{....s....}.....s....}.....(...+.~....%-.&~..........s....%............s....(.....{....s ...}......{....s!...}......{.....{....s....}....*.0...........(....,..(....*.{.... ....rU..pr...p.o"...u(.....(#.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2029
                                                                                                                  Entropy (8bit):4.99666085039448
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:3Ar+z7h+1/gYo27RgdSagFsg+w3jdgDSg+CagFw:wr+v4cw9n
                                                                                                                  MD5:A8C16947BDB4CB8CF1CF491FDC02B223
                                                                                                                  SHA1:5CBEC67AF9B62D270764E5D6C0964881ABD6FCBE
                                                                                                                  SHA-256:0F53AF9459BFA13AB9F911AE5FDBFDEEB0A5AE48B209E117321984E409413F06
                                                                                                                  SHA-512:791153552D64F1315C42F794D7C3BD9AA90F8C62D547197EB555A9DF6E08EAB1FD93921FC1FAF5015291FDB4A4173137A93FA7964E8003EF70EAD11DE10C2DE4
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </depende

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):210992
                                                                                                                  Entropy (8bit):5.348412302895247
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:aXLNkrE4AOS3ncIzkq2ijc3Y28MNwH5Z5D6T:ELNkrE4AOqcIzQijLw
                                                                                                                  MD5:DE3BBFAA013445B332720DA559F61FA8
                                                                                                                  SHA1:7D21AAF19FBF49E758B06DD28C204E2E7B632D1E
                                                                                                                  SHA-256:E0064D508B6F9A79D27E5404D414DDC090A52D5AD41016556CAFA973D89CE244
                                                                                                                  SHA-512:75581D822D98E1777E052E7EFD8B2C3AFAB7BBAD9B6A0ABDB017818B6349604FF1D24878048EABE571F09211C68EE0F87FA73F3BDB801A8017D4C2DD45E5E9D2
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0..............;... ...@....@.. .......................`......9.....`..................................;..O....@..@...............0(...@.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......@......................@..B.................;......H.......H$...............................................................0..;.......~....s.....(.....(.~....r...p.o....r...p.o....(....o......*............(......(....*.s.........*.0..x........(......}.....(.....s....}.....s....}....(...+.~....%-.&~..........s....%............s....(.....{....s.......s....}....*.0..5.......(....--(....o......(.......(....+. ....( ....{....,.*....0..I.........i....*..{.......o!.....{.....o...+.. ..{....r!..p.o....(#...o.......*.*............'..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):19427
                                                                                                                  Entropy (8bit):4.994540973244801
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:hrg4wdkumUwfGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZY:hrdOPUDCTHffIz
                                                                                                                  MD5:04178686B6E5E58B69F7DFF5C6FD225F
                                                                                                                  SHA1:20E38E9E8B6EB9F182729E51710979250910798F
                                                                                                                  SHA-256:F260BB0DFFA0C3969D7DCBE480F4502DD8C1696FAA7B9019247EC91C6B9778FF
                                                                                                                  SHA-512:18375EA01D4B3F2CFFE413472B7E736CCEF0024A403C920A17D4E0F1A69F06347B80358AFFF4314EC6A5B9A02E50E850F94585CBF379843C07FE15883FBB2D50
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" publicKey

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):284208
                                                                                                                  Entropy (8bit):6.1174239058820445
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:1ZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHf:Xgo0WPVTXg/
                                                                                                                  MD5:5C41C8E809BE33643D9D3BAF40868770
                                                                                                                  SHA1:525C3E3D7C48A61DBD254B6526EF701F394709D2
                                                                                                                  SHA-256:5DA0EF8D49FB803A8CBE8CC8B9EEF48F32C01ADF737F679751239B6BF193652C
                                                                                                                  SHA-512:B30D697398D352D8D924F6E94B1FE1519B36AF9A6B8CC022513C56855F680FEA74908D2F6BFD86160CB17848799527599105216F19A3AD3293A614CD3FBDCFD3
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................!....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.810303906948599
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:ry8+xcexWQFW5QKNyby2sE9jBF6IYiYF8pA5K+oCGUHF1/Juf6IGhF:uDNxWQFWHNyb8E9VF6IYinAM+oC5+Ri
                                                                                                                  MD5:B43FD617ADE2F12D5A5DA4BC8E2EC788
                                                                                                                  SHA1:87837187C60145E7306FFCFAD18AD7667C1C597B
                                                                                                                  SHA-256:090E8BC5811082D668E7834D0A69956195E16E02E4A91BF72B98FBF46C01F44C
                                                                                                                  SHA-512:7A9D149AD75D799D71A4D1F8E6E16E3541B3DB4D862D4479745666FB81D376DF6751F30BD7FFE29ED930909F609CFFE389049AC3F6C67A1B8A0D589161489A2C
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ...............................z....@..................................(..O....@..................0(...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):22064
                                                                                                                  Entropy (8bit):6.67173183600974
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:LlrMdp9yXOfPfAxR5zwWvYW8avNyb8E9VF6IYinAM+oCAsHI:LlrMcXP6gEpYinAMxCXI
                                                                                                                  MD5:4F4631540C1A187A87328A3C26A33455
                                                                                                                  SHA1:EC4184E92628A5975BBFBC5C883A246BD07FF46C
                                                                                                                  SHA-256:9253E6DF69B66F357DC59023B858A1119153BD1761F8F83CBF375AB5040EDC55
                                                                                                                  SHA-512:D16092954EB7B7F0B73013E85AE36D01B0A4CCD178BC804E0C0BEE34F18D85B95AB741BD57BB78792B4C77BB3664E86E785383F4886F3CDFAB2B291C2E4972BB
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ...................................@..................................B..O....`..@...............0(...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.90727570833683
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:Im2igOWnW8rWVNyb8E9VF6IYinAM+oCPT89clQR4:Yt0EpYinAMxCw9G9
                                                                                                                  MD5:04AF1E5528EE2FE8D0E2C9240661DA0F
                                                                                                                  SHA1:435875171507B9ED43A0CE168FED149BB8533483
                                                                                                                  SHA-256:5D913C43020A9F32ADE24F174250AD6E674B7E5E1D2D194E9A608CBD70748595
                                                                                                                  SHA-512:D83DDBBF4C3BD9AD399C988234BD22BC0502135786DE94C09FDA2AF96F6C199DBCB049135111E172C75DC1B6A86A0FE9AEBE805AE0AB1595D5F8C7F99D8DC690
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................,....@.................................t)..O....@..D...............0(...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.900100834273744
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:xnapn1iwwPWcGWvTNyb8E9VF6IYinAM+oCagmKtFWT:YDu3PEpYinAMxC0qQ
                                                                                                                  MD5:561BD5749A37BE8B5456B477DD2A9ABE
                                                                                                                  SHA1:C5A08810D97A4AA7968F63F11140B471BD8186D0
                                                                                                                  SHA-256:AB42500F2E9840B11FDFCC593087164263A9925D649012C360E129AA1FB44249
                                                                                                                  SHA-512:60E6236E860C01D912F46F7D72A0667AEA20622C4BBD133E8A5827A23E40D4402DA0EC4D1C499DA69737B62F2789A840FAF7ADD2859A366312D003AEC762478F
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@...............0(...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.909092148900759
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:0HLaEav5aaUa6arWVLWwNyb8E9VF6IYinAM+oCg3KR0m:pPv5t/NOZEpYinAMxC8y0m
                                                                                                                  MD5:B27DC693D37DE1FEE4C400B0B9311038
                                                                                                                  SHA1:FABC7D3D07D253DD6DD8E9956547AF9A98614231
                                                                                                                  SHA-256:A6AFE6EEADFE54E0A578734FF2F3169935C3D00D426B26A3DA851B7F5AB411ED
                                                                                                                  SHA-512:2872AB1291F19B95BE680DC3449ABF1494E7CBE3E24EB15D15C5F3D11F720EB6B5E2DC2088A8EF59B8C4446E188648B344E11A59FD80BA2AAEE7EA4E6B54351C
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................]....@..................................)..O....@..P...............0(...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.760910226841751
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:y6iIJq56dOuWSKeWRNyb8E9VF6IYinAM+oCHDRxQFj4p:kiA1EpYinAMxC9my
                                                                                                                  MD5:03BAFE2B0D9C25FC8389BE1D2823A249
                                                                                                                  SHA1:5DF8A0DF95DF2903431EB43A39547348B2CB8296
                                                                                                                  SHA-256:4849FFE52696C4D702AF03AFAFBD98611CE4A772C0003E674FED6E9BA8E71B27
                                                                                                                  SHA-512:6B1D6933B443431C6C59B415C0D2D2E04AFFE7398DF9957E016EA105DEDCDB4D1ADA74AA1CB5817B568D2843CB642FEE287CF3DA2C6C43DB1EE6CD89565F6561
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...............................o....@..................................*..O....@..................0(...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.8160199063054066
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:anzz+MpSaLWW0+W1Nyb8E9VF6IYinAM+oC1JGQ:8puxEpYinAMxC7L
                                                                                                                  MD5:99288A77139306B255ECCEE6E04FF5E9
                                                                                                                  SHA1:0100D47BD44135FF86A8A5CEA2E10480BC7CB638
                                                                                                                  SHA-256:30E35ADEB88183F7295D966CAA6677760945C874FDB60DB7351634D70D703093
                                                                                                                  SHA-512:FA633652D1106618EB8DA1F3336E5E599D83F66535ED2D004EE221580FA1CD8C6DBA31C752F4377491FF858C975BCAAECF7CC6D7F73A6A7FA2A98FF582A656DE
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ...............................h....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.862739539471698
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:EGhr+YUfyHxsW/HWZNyb8E9VF6IYinAM+oCVUtE:zkmoEpYinAMxCH
                                                                                                                  MD5:4B1F70EB3EF0800B380DA8EBB2455838
                                                                                                                  SHA1:DBDEC83C56F182B28BBEA493042CA7A476E250FB
                                                                                                                  SHA-256:095C883C0CC8B4DE5CE315FCA97DFF863830B7FAB09FF68ACC0936607A6FBD52
                                                                                                                  SHA-512:04AA63D67B5CB58079ED51F0AC2C7CA0A9F306FA8EC306D817220A2C1D794B26E74D1CD24A2F9A2B52628DA338F3E5203E64A688BBF163C88EF4BD108B9F7925
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ..............................2.....@.................................<+..O....@..`...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16944
                                                                                                                  Entropy (8bit):6.792287006749931
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:IRE+ruiA5vzWeNWkNyb8E9VF6IYinAM+oC4XjFOGm:IS9bXEpYinAMxCYIGm
                                                                                                                  MD5:025AD1826825E19E60449091675EBFEE
                                                                                                                  SHA1:44D15D48991D974E209014DA108B9BC5BF0D96A1
                                                                                                                  SHA-256:CEF0F0DDF6B6C2295C0D70D48ACAC3F9CD956C40A1B814CC573CD7840E5093AC
                                                                                                                  SHA-512:15F78E9FD8A6E86B030FFCDEADCE9D50B01E46BEE83ABAC40F4AA880A490606361A346517A5D34897B83758388C888E93C4EE7F621F13F34B59440BA3F7BE70B
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ...............................Z....@................................../..O....@..p...............0(...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.8527441270087515
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:4T+6ywnVvW0LWoNyb8E9VF6IYinAM+oCczSBu:499tEpYinAMxCLu
                                                                                                                  MD5:0F1F604FC675C153112AAFA7B3CD35F5
                                                                                                                  SHA1:26D84373B4E998F26E80DB7292BA3AFA3F2F4D03
                                                                                                                  SHA-256:FFDA559466831113D81540B0CC06F959D8771777BC7A9DF50167D8B3390A3900
                                                                                                                  SHA-512:B3BDF3792CE2D7E1CFD051192D521BDB8CCE99C07EB6A90951DBD8E410FE05A16FE123A40F3E0C6F63D2BD9E3E31B8633FC86D355F9E3448CADF8B2FB553BC4D
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................e.....@..................................(..O....@..................0(...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.8485217436146
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:YRbzriaXT+WlEWENyb8E9VF6IYinAM+oCri+trE:O7icWEpYinAMxCu8o
                                                                                                                  MD5:7699FF017862D54F706B757522EE436D
                                                                                                                  SHA1:56415E9BFD5D530AFD751B7DCA35DB2FC7BC4FB2
                                                                                                                  SHA-256:9DCB4C285EDB926A2E8F808EC6550D9589C17EA77A2AEAD4239F2B0F14B1E32E
                                                                                                                  SHA-512:18674E269C9BEC0472EB7075310730C4E2239AE27DF237F79C73AD5E3019F10372963B689438F5A177881E3883D5B04B6261BD0742324F79E33362B57DA41CB8
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ...............................0....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):148528
                                                                                                                  Entropy (8bit):5.4178270851166594
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:6HOdYYWg+GImdMEGK61wb5nx03LBblQ6Ndk66byYSI4Zki+BReD4pK/uYxtl+97b:NdYO+3m9R6e1x03BZ6bDSzZ8B0uAP+9/
                                                                                                                  MD5:E0FDFE274C85F41A36708549F567DC66
                                                                                                                  SHA1:AEB7C489BCF2644B22B84F9914F4A6B89A9920D5
                                                                                                                  SHA-256:5085A0CD0657F3ECB227B9F87AC760A34D445B211FE39F72B822218E4974A739
                                                                                                                  SHA-512:C44C5D0BCEE4DB63A6B4C73B9D663073DAB59F8AA9697DACEA5F46A0BF311862DCDD7544014BA64E4E967995EE3796BA1C340CB7FF5764112858BDDB0062FE91
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ...............................5....@..................................,..O....@..................0(...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.812160470049198
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:NzNnzx7FWjYW5sHNyby2sE9jBF6IYiYF8pA5K+oCGUHF8oymiaaJDRY:hRtRWjYW2Nyb8E9VF6IYinAM+oCItW
                                                                                                                  MD5:B0F3F032F7825DDE1F13E482B4CAF38E
                                                                                                                  SHA1:6CF6E45C2982FCE84F6817FD0CCDEA147BB207D5
                                                                                                                  SHA-256:78502357C3FED85000D348121D62BA9B5927C14661FC68D7E37E58B5A466B702
                                                                                                                  SHA-512:2C248BD3D4E19CAE045DC8D6B5ECFE46C96A46AEC10BBC9DCE57EB31CC631E544D912C2E41744E64632F96784527161E4954C24687469026821C976D3733F3A9
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................3.....@.................................x*..O....@..@...............0(...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.894107837143539
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:ReWnoWXNyb8E9VF6IYinAM+oCG1+MShLbGq:RntEpYinAMxC1Mvq
                                                                                                                  MD5:6AA890B1CA29BA41BAAB4A86744292EE
                                                                                                                  SHA1:6E28910CF5A08784CA5D76CCF855721B94918A44
                                                                                                                  SHA-256:5FC6CA69B09B584BC118CABCB04128AE83371F1D19D53B5F1821ECDF2D2C859F
                                                                                                                  SHA-512:4BA4CC53D223E6D1C289070E4191393448F698A78E37402AD09203651A6B66D145B56C82EE8F0E82EC9FCF99E02A7BEDB4840A572D472D2518DA08E0E05CFAA2
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................!m....@.................................X)..O....@..$...............0(...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):52784
                                                                                                                  Entropy (8bit):6.247628824459115
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:pC5mb2//6hDjsgXj55UJ6DwrKts7EK5m2yFVBg6WZZjbUpUhDIEpYinAMxCMy5:pCYb2/CRv5M6jtUZjQUh17Hxb4
                                                                                                                  MD5:C001B77796CB926BD9DEC6DF5A7D9445
                                                                                                                  SHA1:123CB4FB6E2CCB0CD05C738497BFE132E5928C21
                                                                                                                  SHA-256:E9B7F862256ADF23BEDECFA8607540E3AFE5FB9D0AC23925E8FAFAA0DC8661D3
                                                                                                                  SHA-512:77643527B6E5C35A47DDBD8F5667121A9432A87E7DE21280B669228FE398DEBA79524A6B77EFD3EAB0A4F5B3C451E25FA3685E3F14E509E741C1FD30339BFD8E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ....................................@.................................h...O.......................0(..........0................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........I...l..............0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.853814679304912
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:ZxGxIZWJjW55NNyby2sE9jBF6IYiYF8pA5K+oCGUHFykqG6:Z6oWJjWZNyb8E9VF6IYinAM+oCukf6
                                                                                                                  MD5:2D1E64C6363F520A4B09EE67CA44BBE0
                                                                                                                  SHA1:A1D1CABF2DC5A03B193A435ADD236438C3FD5E0A
                                                                                                                  SHA-256:32F80F2FD7EC40AB166D32F9718C6F52F024A4C16A410B95D26CB83B2A3457CF
                                                                                                                  SHA-512:AC2662EF95C75FCD79525A0219B598EAFE0EED22E3FD6CAC1C024F37E095F0668DBE529020CEA1383EE7AAAD32C5C4349544EABE23199B9AAF70BE053C20DA59
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@.................................H(..O....@..p...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.775913255662062
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:zqk53/hW3fZ+zW3Nyb8E9VF6IYinAM+oCjF9:zqk53MXEpYinAMxCP
                                                                                                                  MD5:05A320B376EE93BE8E3E26A2CA823B10
                                                                                                                  SHA1:4F02AA8E1741C094813C08F66B17D61263D437A9
                                                                                                                  SHA-256:422876979DC3BDE89C3AEC38D43C48A3DFA80D9446748E55EC26AAAA195744B6
                                                                                                                  SHA-512:177F6628AF9F0808B8E7A4F8C7D12F5AE45A829DACD10E531A27FD5C150FD3FAAB5729112AD75B8E8BE5DB71C6D1A0A4559BF522D5A90DA1749CD5A25735013A
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ...............................Q....@..................................)..O....@..0...............0(...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):17968
                                                                                                                  Entropy (8bit):6.661314849678409
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:WFCc4Y4OJWfOWqWWOWyNyb8E9VF6IYinAM+oCwOS/D:2CcyCCEpYinAMxCOD
                                                                                                                  MD5:244105479AAE00122795AB55C02D27C5
                                                                                                                  SHA1:4D02969813A1EF3816DA8EDE3740E3A448380D43
                                                                                                                  SHA-256:9F81EDA0A759D7681C42DB5FA8967CEC5350761E14E6FBB998709C1D3FAC3BC1
                                                                                                                  SHA-512:74F5EF78035495A409BD02A7F97F54B71E5E5929F937981B02FA5E1147B2F493B32339B62456ABD0D3751FA7C955B168EE849EBB099DAE7E9CE84A8C3CAE307F
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ....................................@..................................-..O....@..................0(...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.8760364981132405
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:rlTx93aWxMW5VwNyby2sE9jBF6IYiYF8pA5K+oCGUHFwPtrnPi6:PAWxMWANyb8E9VF6IYinAM+oCMPtrPj
                                                                                                                  MD5:76011DDB6222C1DDF8DB8DAD81822DE2
                                                                                                                  SHA1:98E59A56051E878AA59574CB18312E3C4DFC814E
                                                                                                                  SHA-256:B6B4BA9E826F30B91768844A9C6B76F6CC5A3342CAC2BF86B0E94AD5EADD4840
                                                                                                                  SHA-512:C4C07155FA550C878ED73C9C101787093F73110F6B1C7C90FDE931DC453BD6EE4E63211E764FC39ECA2F0B07DAB437CCB6097BBEA4D2E6975A5BD759DADA183A
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................>....@..................................(..O....@..................0(...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.855299035225063
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:sYqArxbYWHaW5uiNyby2sE9jBF6IYiYF8pA5K+oCGUHF2zfxGLNDPIh7:6AlcWHaWBNyb8E9VF6IYinAM+oCyoxa7
                                                                                                                  MD5:6763462D500565BB723D6AE7DD376177
                                                                                                                  SHA1:5BA25C0C7F2E66FBC00CF752EACC0F0757ED69F7
                                                                                                                  SHA-256:E77307BFEF76BEBDEAC6916FC6051CDB8C7CD5347660A0A2FD216C0021A4FFF3
                                                                                                                  SHA-512:34EA0E54D86A6E5C588C164D5A13854F9C133DCB5E59E1D5123F3E041EA1300DC327ADAD16AED58D3F455AF6CEF5CC04D8C6C65791D2B501FED17752A731B990
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................I.....@..................................(..O....@.. ...............0(...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.778616544811202
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:lGIZnWlNWmNyb8E9VF6IYinAM+oCpcstTLAF:cUyxEpYinAMxCPYF
                                                                                                                  MD5:B2385B0E04770B808F5F51B4F267DE63
                                                                                                                  SHA1:DBCCFFC5F25E153512F4607827A1DCB0672DB7B7
                                                                                                                  SHA-256:7377730E697EEA5E6FD7A9E91B4967E7669D9CE6EA9B0C9DEAA3A219C1381BE0
                                                                                                                  SHA-512:60D576EA65C7FCE3D3F65DB2EC3D8CD14C833723AC5C56D1F299608E63AE520A0AE8A099EE48D883377C333E31797FAC108584C98ED6E577CAA8929D58E92BAD
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ..............................oR....@..................................)..O....@..P...............0(...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):25648
                                                                                                                  Entropy (8bit):6.495901336244438
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:UlQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdW8Nyb8E9VF6Iq:SQq33333333kX+TBi8rEpYinAMxC/L
                                                                                                                  MD5:5F4C0B3A7F2FB0DB1B1B20969BEF7168
                                                                                                                  SHA1:CD470977A3442AABCCB143FA078839C5078D6AB6
                                                                                                                  SHA-256:A5DAD8CC289C2E342FD57F2153BC1B704CDDDD42C508BBD737765348B7636A3E
                                                                                                                  SHA-512:EE8938258AD481225DBD44B9A56A62FF19C762B200A23720630629553EC386B1D0F999C73F6D949969353A66994E860EDFCA94A18154F32354B98F400DDAB925
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ...............................%....@..................................L..O....`..x............<..0(..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.852030061615908
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:l28YFlXulWY/WnNyb8E9VF6IYinAM+oCKD9B9:l0q6EpYinAMxC2
                                                                                                                  MD5:40EC51C679114A8554D35F8EAAAE33E9
                                                                                                                  SHA1:F550B24B07809FD1BCF258A84958FE56630A89CF
                                                                                                                  SHA-256:1D1044444D0DE0F9D48675C6FF61936287518356DAD7CD2616C0EF0F04E20AEA
                                                                                                                  SHA-512:235A3BA54BBE957166B69E436FD0F57F52250E53512839D0A7D072F4058B246F6E8EED5E09DCB2DCD48F8CC13AE1DCE4EF2602B7BCC4AA70BF1B9D41E227E9E2
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ...............0(...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16432
                                                                                                                  Entropy (8bit):6.729765410025899
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:yuMLcdQ5MW9MWBNyb8E9VF6IYinAM+oC3a6sQ:fOcSpLEpYinAMxCkQ
                                                                                                                  MD5:098AA5F5859D20B7719F6CCB4AB5FA3E
                                                                                                                  SHA1:5BC4ABBF4605C74475690DA70379086462408B42
                                                                                                                  SHA-256:E01AED7DF04EA4C2F66294E2C38D19FD2559AD2CD91AB30175FA574971027B85
                                                                                                                  SHA-512:6654A2EF0D54C94BCDCD45412997DD0CE2DBE0EE7675DF47AC7D10DD9A61A0DBF3A00A7E96E468FA0996BC51E2CDBBEFF45EC9FA75101E918FC14F6F274BE030
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ....................................@..................................+..O....@..................0(...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.817127728987462
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:FZ7RqXWDRqlRqj0RqFWVNyb8E9VF6IYinAM+oCVaX/:D9qKqjqjuqOEpYinAMxCk
                                                                                                                  MD5:9C9C0184972082224CD5D3F2AF6E0E77
                                                                                                                  SHA1:D0D7C46D04D6DC7264E5C6BE53CA34DDBCD4FE58
                                                                                                                  SHA-256:B2C0A24B2757D61DBEA647EDBE2D9FCC142846EF146D1654258C7D45914D5CD6
                                                                                                                  SHA-512:E1CB8A9BA85ACD7CB8C10E2A922CEB49D2FA0E01EA0FFEBB742B5571FD8BF857BE8FD702D891C3C75676CB4B861091FA7EF8D095D23B3CAFBB828B286F1FCD0C
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ....................................@.................................X*..O....@..P...............0(...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):20016
                                                                                                                  Entropy (8bit):6.62945691310315
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:ANBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9WSNyb8E9VF6IYinAM+oC3V1rD:AvMhF2SzNzwu/NljuREpYinAMxCj
                                                                                                                  MD5:EA13EEE1E8B3A2E19CF2AB5BDE0C93B8
                                                                                                                  SHA1:8FE61EA0D50065AFC142C7CB594F5D324991E639
                                                                                                                  SHA-256:18E32A5B970F01BE86360A233CD484F3FF3C4D2CAF175CCDF6AB0079961419A4
                                                                                                                  SHA-512:7E0880BB0CC2964EA473CA0302270605714F36E43A9FF60A9C68396C9B8240DE861010005521490F3C19A7D35B0334792E3DCF6F2775F42A0CA27682358C8DF2
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ...............................V....@.................................a6..O....@...............&..0(...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.901409880946083
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:ubZ4RLWdRfRJ0RZWuNyb8E9VF6IYinAM+oClyR1Fk:ubZK0pJu5EpYinAMxCo6
                                                                                                                  MD5:7EDB4DA2D07025A04DD098A07923BBBC
                                                                                                                  SHA1:C6D556324D9DEE8FE9D8DE68841634425924789F
                                                                                                                  SHA-256:042C0F918096612422011D42D0A3E22757B57457E8677973BDD4E5694C0226D9
                                                                                                                  SHA-512:0D47E6CDD8DDE2FF5F0FC26745A434995DAD39D1D6BB5766D93B0635CA6DFD786B9680054B48AC6C5ABC3AF79C55E2C16DD2CFB1D621BAF1145277D8B8A60BFC
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..................0(...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.798639249065837
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:0Fx+WTIEfW50ANyby2sE9jBF6IYiYF8pA5K+oCGUHFz9ZITneu:UYWsmW5Nyb8E9VF6IYinAM+oC39mrt
                                                                                                                  MD5:DF12986E7A5DFF2263354737C9436809
                                                                                                                  SHA1:A1B4880508F135C4BF5FAEBF479424CBEC8FF342
                                                                                                                  SHA-256:BBC06214E5835B90D0054EAAD5F80FD40BF43CE4A29E99AFFD12AED7E567A938
                                                                                                                  SHA-512:F6EAB6C15A452D1F6092435A3369359F5471609DA1098F26EEC6BF8968C8865009EA03DF5AD886275D90D5D242D68F15F1C0ACFCB66015A735E9247CC5779E01
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ..............................au....@..................................'..O....@..@...............0(...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):105008
                                                                                                                  Entropy (8bit):6.382307221380866
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:kvc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXW7Hxcb:kgk1tiLMYiDFvxqrWDWNoJXWKb
                                                                                                                  MD5:81A43DF8AD73BEE719B131DEF479F5CB
                                                                                                                  SHA1:8ECB4E33C8E2AC7D30BA37B1D4B12331E8DD9F9C
                                                                                                                  SHA-256:5282224AC49FD93AA4E5731F8D23D36A0BE8830E1240CE803A94131B30F269DA
                                                                                                                  SHA-512:B426CF15D47974CF2AF37AC322C6DC956ACC647BA67641908D20BCDD0AB443C50239AD0A563D998DBB6A5AA5684AAB2AE7A5772922EF81B0FFFEC5970EB3E223
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ..............................WV....@.................................5W..O....................r..0(...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.8542726522556805
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:AKcuz1W1cWMNyb8E9VF6IYinAM+oCLnrDoqi:Qu86EpYinAMxCbs
                                                                                                                  MD5:0E639C40291252B6B94BD56C8C2E4A2D
                                                                                                                  SHA1:30A19A37E9972AC4D10E578E314AC286F9126045
                                                                                                                  SHA-256:C4B9D13CFC96C03B2A1078B76155CF8C93D27858EFAC6321028C307FA43760B1
                                                                                                                  SHA-512:819B1AAD6958F96D4A0FCD4B48228B8D4A4FE24432FF706DE69C93E96AF1D03814E8F0A3065B3B228A77DBB874995454A271237F87D94279CB896C2645424A7F
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................&....@..................................(..O....@..P...............0(...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.864879066460218
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:LpXYpxjSSWikW5I0Nyby2sE9jBF6IYiYF8pA5K+oCGUHFUd79eOJaZWK:Y+SWikWBNyb8E9VF6IYinAM+oCAd5QUK
                                                                                                                  MD5:D81808C4239C950E30821393BE815794
                                                                                                                  SHA1:84DA8F3786D0E8CA360848716E61CAEB059941A2
                                                                                                                  SHA-256:42B58E52682733FA8F505B784EBC3CA7C7E8C529AD6025AA324984E47FE0BCF2
                                                                                                                  SHA-512:F0D869406437F20B35FB536319BCA29C3DFB914342AD2497D931EDB7B742424C19AD92A3FB985AF14172CDD7BD36BA6B690642A17578479A8AD0DD80F2E781E9
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P...............0(...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.906247186393836
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:QDxxhREWzgW5mGNyby2sE9jBF6IYiYF8pA5K+oCGUHF76amamyTds:kAWzgWlNyb8E9VF6IYinAM+oCXE4O
                                                                                                                  MD5:1E5980ABA0E632BDAFAB1AE983BC45D6
                                                                                                                  SHA1:E6C5185B87C8665D9035C85EE43076A522F48035
                                                                                                                  SHA-256:8D58C4BF0AE55D775F42779631467A370A335EB88BE978F0225D7DB220CEAB6F
                                                                                                                  SHA-512:2E6D6DBC48CB7F54E34BA964AC9E8BF23D4D70FE0DE2B1698B3BB70581B80E9CFFAC956C9508C890C7450AEC639DACE1FDB7BEB31DB0B96885D8904DE9DF9B85
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................=....@.................................p)..O....@..@...............0(...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.863001513688545
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:7BLRWbYWAjNyb8E9VF6IYinAM+oC7c/T/b:7B26/EpYinAMxCYLT
                                                                                                                  MD5:9A3283DE5A97F5B005A4A9EBC5CC8462
                                                                                                                  SHA1:23F8985BF7970358804441DC8FA7B4FA3108F735
                                                                                                                  SHA-256:12066B4AF070977FDAFBAE7DA3EF6BD23E2A4D72FCF4F2811B7D1F86FC4548C5
                                                                                                                  SHA-512:25A177E266B8A83CC959BD154DDE33452FBB09A9F754C571195E281C536AB0244C47C35C019E4DE47989A0EB56433A630198B905919C06F71462A681F36C115E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ...................................@..................................)..O....@..................0(...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.8559103413814135
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:0ZxcMRW4/W5x9Nyby2sE9jBF6IYiYF8pA5K+oCGUHFyF5FwNi:QHW4/WRNyb8E9VF6IYinAM+oC+mNi
                                                                                                                  MD5:61267F80038F9F92D25E8A4AA6699D71
                                                                                                                  SHA1:6657E4B501CF6DA418FA48D2FF355FB5F841DE43
                                                                                                                  SHA-256:2669F22BCDF69F2AE9111B0FC4E0672E227A751F67F0E4302E25B656C40D4E2C
                                                                                                                  SHA-512:4DDF947DAF9B46DA0385D07C72754C386905DF18A267B8E699AF5EB4C6F4C84481539EAB182D80B42F9823D766D5BBBB2AB441FE13EB588345ABDE0F82E324C4
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................5.....@..................................(..O....@.. ...............0(...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.9120881175384286
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:2YvkRxpHWmCW5O7Nyby2sE9jBF6IYiYF8pA5K+oCGUHF69Sz:vvk7hWmCW0Nyb8E9VF6IYinAM+oCuEz
                                                                                                                  MD5:4314D483552C965E658C7C58929A8D6D
                                                                                                                  SHA1:DBB6F9A41B8DE539BF082B26CF9367346FB32B3D
                                                                                                                  SHA-256:3A464BD5D7D29694A52A84EBD32D57F6225DCF08F392993B041EF37AB17171D5
                                                                                                                  SHA-512:AA1DF698A6923F83A057E48FCA8E811A2F1C0DDE698C6C40480187F0651C9F2BD384BF6090F95149F3D2BDAE9FAED36EE1B1EAEB23BF909FD10F8B5A40B997F0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................h)..O....@..0...............0(...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.875758648591913
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:CUiW2xf+C/WCUW52DNyby2sE9jBF6IYiYF8pA5K+oCGUHFLZioEt:gGMWCUW4Nyb8E9VF6IYinAM+oCRwt
                                                                                                                  MD5:E3B700A74640FC81B9CEA927D121C2A5
                                                                                                                  SHA1:9B8C917E4D7C673AB043BFA615A077D8FB49AD44
                                                                                                                  SHA-256:C11438FBBD7136B75F58B2EE21DA25827B814257A5489AF3957901B37BE876C7
                                                                                                                  SHA-512:8E7B9AFD381EA16975E8C92596805523BCDAB80CE64B71EFB87C91C402D9C017DE543E074EE2517B1866E6783D972651A8E328C66CD60C3C69C93B74B6DF3167
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................'....@.................................@)..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.857054298846541
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:/BhwI7WSQWLNyb8E9VF6IYinAM+oCCtgMW9i:/DwIBlEpYinAMxCvw
                                                                                                                  MD5:4214C8ACC40CE0164D9EEA22687CE0EF
                                                                                                                  SHA1:1F156837CCDE47CDB77BD919C6C781FC775E02CF
                                                                                                                  SHA-256:8AA7AA16F30C28D46C97925EC3A967B6350BAF257EC49C3DC031F535D884397C
                                                                                                                  SHA-512:B59A35FA0A41AE721E1F143317934A5A3E380245993A1A370AB31CEAE3150AC223A5A53B4AA43247A632DE13BBD91513E2A1E89D5FD44C20CE757D96C25E79C9
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................o^....@.................................l(..O....@..P...............0(...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.870890431174606
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:kNc/vlxK6FW4lW5TYNyby2sE9jBF6IYiYF8pA5K+oCGUHFLKKPfewkKCi:SyvPRW4lWaNyb8E9VF6IYinAM+oCnKeP
                                                                                                                  MD5:39546D501824B31001C237F69672EDFB
                                                                                                                  SHA1:B7A4EE51B65F2A52C2B0A1557FAC4A6B86571544
                                                                                                                  SHA-256:D86E70FB7EDB31E59242E5ECEC1617F83928025B243158E17E100F5EE06734F2
                                                                                                                  SHA-512:56F776BAB2BBEC01B43AADED0414085A52A4687F6E78393CC556F75D3C13726A3D71FAAA4D29D28645BF97D14CF9D773972D413D2553C8666BE260714E275779
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..................0(...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16432
                                                                                                                  Entropy (8bit):6.824226980431581
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:Cnhp+J2sx/5W6eW5L2Nyby2sE9jBF6IYiYF8pA5K+oCGUHF9IAvnnBArO:k6RW6eWoNyb8E9VF6IYinAM+oCiAvnv
                                                                                                                  MD5:7662073D5C9F5DA86E7BB16AC01EC465
                                                                                                                  SHA1:5908E08B51C311BF941FD3E8D7494A43EF556707
                                                                                                                  SHA-256:E110DFDD5440CF6A8945309477298DEE2D12F6B52E9E80213E817E04E457BDC9
                                                                                                                  SHA-512:608CA6B3FE7EB302E044ECE43C83A41F437820CF743CC5E4D8A3C02209E9B607C699B02D7F67D8C47C77DFF453C26138FF2F26A2E52E83662DA34279DDC04F20
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ....................................@..................................-..O....@..................0(...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.857337169237656
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:3SPuxFp9W70W5pjNyby2sE9jBF6IYiYF8pA5K+oCGUHFqR3O0iG:3SUP9W70WTNyb8E9VF6IYinAM+oCu1Bd
                                                                                                                  MD5:C7475AA5C816671F648950C8B3D80A50
                                                                                                                  SHA1:5C016A103034944586FC1E427D413BF7ACD32934
                                                                                                                  SHA-256:DAF45389137134A78C7918837084C67EC020BA4D4B6326A9C0167A892B0BC6BF
                                                                                                                  SHA-512:53E0A144440F15949D5881E3234E248099D518CDE6424CEF9A71351DD141A0329A012FC3BA36E361C61A8AFED28B5FF7B8D65A161681D3CFC4294E2401588D79
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.850913897976473
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:838yg07W0/WFNyb8E9VF6IYinAM+oC/orPM:ABH0EpYinAMxCAQ
                                                                                                                  MD5:06188251B3A1A875394711909E08FB58
                                                                                                                  SHA1:AC3BB0E100B209F13EBD3D1F4541DBBA86380C82
                                                                                                                  SHA-256:63E55277CA37F86089AAA1EF548A829EF3C79F7903ED90CD2A87A5A36CA05560
                                                                                                                  SHA-512:C13D22C64CB6EE3E9B6128876B2C5A008E5C0A8FD70E4BBBBFEAF6A8B2D9361A428673F44AA5BB3FF3A255EFA0AD4362B234AF9CB128D6FF6C9EEF18C88777E6
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................0(...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.816246694368643
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:queAxQJ4WmRW58/Nyby2sE9jBF6IYiYF8pA5K+oCGUHFOq9gyBs:we1WmRWaNyb8E9VF6IYinAM+oCaKgb
                                                                                                                  MD5:E6ABCF274EEE36629C345B9AEDF26554
                                                                                                                  SHA1:187B7F5B3166740895FADF9D213389366B57430C
                                                                                                                  SHA-256:3ACF086B5F0CA5198B97501853AA4BC9C39EC48B420157C55CF166B73E8F0F36
                                                                                                                  SHA-512:E8C740F7695798102E37EBB1419A8E7CA9601B37930F2E446B4AF01277B8D28D732CFE9824FC3911EEF43C08D6E3732C8C7F3E03A1D04798B1607DDC2FC07120
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................$v....@.................................p(..O....@..................0(...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):142384
                                                                                                                  Entropy (8bit):6.161479044620922
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:SUGrszKKLBFa9DvrJGeesIf3afNs2AldfIQh:lBFd3/aFs2k
                                                                                                                  MD5:A43365B5967E6019BC635070BFC1E909
                                                                                                                  SHA1:F7C0912954D447DB22A06AE3E322C1AF718B41C4
                                                                                                                  SHA-256:EE2DE8A438625A5FAEE72A26BBFDB9005473B7FCBFDF5B0D114FFB113FC4E884
                                                                                                                  SHA-512:4C22C5BFB7828BE10074B4D52CB44B2BDE25F9007E01CC918FD538B6EDE72577FF0E54E93D33A5FFEC25FD84D00512E99E7D1FF8249E92FBF7A38F263BD4151D
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......<V....@.................................X...O.... ..0...............0(...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):192560
                                                                                                                  Entropy (8bit):6.115523408722963
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:xeruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgUS:UW60VcTvakcXcApOG
                                                                                                                  MD5:8DC9C3A2D3770FBCCDD2D25266CF69D8
                                                                                                                  SHA1:07C4CBFC3F406B65FCD917B178B497B2F787409F
                                                                                                                  SHA-256:A1C0B1830533EDFD5A02E16D5C20227CACA3FFA8485216142F056D761B95A05A
                                                                                                                  SHA-512:865CAA63FC175E74EE7572886C37DF90AB2EFCBF76536A5B9B188E4AD3C7BD6C714B6713202F3C716CBBF830D28E8C54A6D17FA1A634267EBF3C0121F10E41D8
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... .......]....@.....................................O.......h...............0(........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.840129577582069
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:oCZsxgyrWYLW5lSNyby2sE9jBF6IYiYF8pA5K+oCGUHF5LxLCiLv/Z5:os6ZWYLWyNyb8E9VF6IYinAM+oCNNLPT
                                                                                                                  MD5:21B5CB012909AE25847697B060BA8B50
                                                                                                                  SHA1:08182D897B6176818C15CD68858D7EDCDBD5151E
                                                                                                                  SHA-256:60CA68678C435561216B95DE986225D0EACC7957822781DC709E142A23E96AEB
                                                                                                                  SHA-512:AE94EC4E5D6B339526045FF29DF7099D8E59587D1CCC53434A0C775A9D5055EF5402335F302ABA71DBE97BC88F7A49B2F8798944413A98DF38EE0B60C95A2C7D
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@.. ...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16432
                                                                                                                  Entropy (8bit):6.791178572741935
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:jk14xPxHWMQW5YGNyby2sE9jBF6IYiYF8pA5K+oCGUHFKHdLonB:w1W1WMQWrNyb8E9VF6IYinAM+oCuHCB
                                                                                                                  MD5:03B4C9F4BCC57182994AC8F1FB30D357
                                                                                                                  SHA1:E2154538A6F7304438DFC2B86D05998EBEDF83AC
                                                                                                                  SHA-256:632E7F3C2E848A6176BF159EAC25E8025471DF3AF565749991DDC0A72BD08F58
                                                                                                                  SHA-512:125C8D889B7569CDBC2A5E10B483984E08C66461DA9FE9DD8A26DC6401913720B448E44049ABBD2D0C4B4825C3D2480A13D5CB70942F3DA037C6A155071D2520
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ..............................]5....@..................................,..O....@..@...............0(...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.834812088864677
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:FQ/rx72WSKW5xjNyby2sE9jBF6IYiYF8pA5K+oCGUHFA/kq+rop:2dSWSKWvNyb8E9VF6IYinAM+oCsF+sp
                                                                                                                  MD5:B94C0D55F9DEEBCE0AE518A7C1FF7FC9
                                                                                                                  SHA1:CB0D9783B75CEF6F6646456D1BD1FED6CFFBA6E0
                                                                                                                  SHA-256:826FB58946DB883EA027C648AF51456B2DAC02D82C0640F6A3D47F75F60F7E91
                                                                                                                  SHA-512:71CF72886EA82807C41C33A4BE8F4E3EF96AAA8FE0416BD679DDDDE5FF9B299FC04105BE35886598C37EBDF17D8FCE77B8C12726191CF5CC7BE2A6F42BDD228D
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................r]....@..................................(..O....@..................0(...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16432
                                                                                                                  Entropy (8bit):6.749123657530473
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:iJEYA2WkIWhNyb8E9VF6IYinAM+oC1IZ328LQ:iyYA8vEpYinAMxC+ZQ
                                                                                                                  MD5:A26A7355A0F869DD740F8302E696FF25
                                                                                                                  SHA1:B1FD9DC4A90A4143774525C4554957176402106B
                                                                                                                  SHA-256:518C1803C8DB6875BF335151F892E34DA725B121B7F7617CB1866956486592AC
                                                                                                                  SHA-512:D9F0856A2F0EE39B8001EDC2AB478718A48C974571FCAA38D6021EE72D5820239D703E37C293CAE508284BD209AC35DCE58EAC9A141C9B4FB023A70EEE95B160
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................3.....@................................. ,..O....@..................0(...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.878256468311067
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:EJGWe4WENyb8E9VF6IYinAM+oC5OXOvIJ:cm6EpYinAMxC/vIJ
                                                                                                                  MD5:B13D87B4279183343430165A63DF5D61
                                                                                                                  SHA1:A8425A12B934F581E4B2590F8726A00FA59CFC9F
                                                                                                                  SHA-256:9783A508C583ABB0F379ED9EA780E83AB2E506FBF8C2F74341DB5D61E40A2CB9
                                                                                                                  SHA-512:112CA58BA27B7530A6BFD95C722A966F597F67988157E337E6AB365832EA1206C15150CC572AFB3FE70ECBD42CC2186BEB2B6291ACDD1411B5B60522DB134AED
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................0)..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.784153781952316
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:FdW1w3WesWvNyb8E9VF6IYinAM+oCV4Ram0p:S1wx1EpYinAMxC+Um0p
                                                                                                                  MD5:A647351FCDFDA523270411A05330F65F
                                                                                                                  SHA1:31AEA0A4BD322D38BBCED174377C69C26E1C1420
                                                                                                                  SHA-256:C828BC2A65A5DEE3CE49F2FC01EEAED02011CE4C4BABDDB2E187AA2C1793193D
                                                                                                                  SHA-512:097C3627DA0FB41FA3129250B7EEAB35053F0C26B222903194F4BFBCE36D8BF7A32AC0338E72234010538D07512D93C557E98A6F00A76F5F3126B6BC4C31C94D
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ..............................,.....@.................................,*..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):24624
                                                                                                                  Entropy (8bit):6.594209857362746
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:fylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsWmNyb8E9VF62:fyp12Bhkg3qnV/sEEpYinAMxCRvA5
                                                                                                                  MD5:B801570396E51A09A5A839F68470EBF3
                                                                                                                  SHA1:3AA0C793291D8C6CEE4F558474FBA64180D2A635
                                                                                                                  SHA-256:550DA51098EF5C3AD5F6827FB682C098D2A55B513F39FA89F23546F7BBCA0CCA
                                                                                                                  SHA-512:C168A6538763A574349FE5D4BF8B6BE42CA4B353C11401D16AA5BC50B718F3C414D7214F3115B2767FB175BEB2C187491D0C0358414C2D5C3802FC0821F2AD15
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ...............................s....@.................................gI..O....`...............8..0(...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.857045567772236
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:hSHlx2PW1bW5akNyby2sE9jBF6IYiYF8pA5K+oCGUHFl5tvFj:kHPAW1bWPNyb8E9VF6IYinAM+oCJ5jj
                                                                                                                  MD5:755763AC761829B708C4F6AC1E4DD56D
                                                                                                                  SHA1:95891B7A944C0CEE2BAA670108A9338A8D7BBE0D
                                                                                                                  SHA-256:9F2D4608E3FA4AE04E6EDA3B06C4176AA30B9A12E9978528095BE4A3C8215E4D
                                                                                                                  SHA-512:04BC832878274BCC98CCB18F269EEA96105C3B243EBB882B62A0DEA079F0D073CE83335E517DA35B7E6F6A4CDEA13DBB459E6F942B33821A686D5D79E619364C
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................4....@..................................(..O....@..P...............0(...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.855690111371631
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:o+TxwFqWD7W5d/Nyby2sE9jBF6IYiYF8pA5K+oCGUHFCet6Kg:jNoqWD7WXNyb8E9VF6IYinAM+oCegg
                                                                                                                  MD5:FBCBC20D98A796E892CE421A726CEA4A
                                                                                                                  SHA1:C9D25AA5AF24F4983DBC027FAD7B89573C0158DD
                                                                                                                  SHA-256:5370C7DB181CD65698E34893D3C234738CD4FE6A844D153311A6A2AE26532A48
                                                                                                                  SHA-512:9C76F247A66693E846D0F83CD32F0952083AA8144AC904162756073F9AF103A87DBC4A0F1E0A3EF328A8237D307C1A6B41B05BB7A29D3014F9936C51F3057C5D
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................(....@.................................|(..O....@..@...............0(...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.863088883661345
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:dGETSAWUEWvNyb8E9VF6IYinAM+oC6t0Jx:hT1tEpYinAMxCv
                                                                                                                  MD5:C9029E037F4B3871CC6A91E1B6C1EC26
                                                                                                                  SHA1:0141BFA8130F9E66BD96134E3481DBA578607581
                                                                                                                  SHA-256:8AEEF456BC4D080E528422A7C84999E2A37B55C7FC1D54946BFCF66A5A563602
                                                                                                                  SHA-512:09CE23955A754BAC1C8BC00B293A3FBC6A18882213F2B2C60DCFB6BC20AAB29F66DDA39CDA86076EF9823B01995F672E95D97CDF19D2B43E8E625169E83935E2
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ..............................U.....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):110128
                                                                                                                  Entropy (8bit):5.512428319727748
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:VPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/i7Hxd:VWw0SUUKBM8aOUiiGw7qa9tK/ir
                                                                                                                  MD5:EE7E03D81617BEEAC4146802F335ACE0
                                                                                                                  SHA1:5FE83B56166303C06BD972AAC90568E35A54DCE6
                                                                                                                  SHA-256:E873AD02839D122803CD13560BF9800D284075062E6B672209095823CD9F101F
                                                                                                                  SHA-512:37748D3FB882AEA2CEA60F92D12DC4E85C9929E18DE677CC6389FCAC05BF337051CDAA7C770DD6573273329C1F9DE6BF523967A7E851C5C1BFBE38584F794B0E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................G.....@.................................f...O.......................0(.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.8513999869142745
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:BcDagtDApWSKJWVNyb8E9VF6IYinAM+oC4Ls1hK:BPKBCEpYinAMxCNzK
                                                                                                                  MD5:82FF772662364A0C496745BC1B4C1F26
                                                                                                                  SHA1:D6C63BE1D816520E1276AD3A058D17BC67E5AEC6
                                                                                                                  SHA-256:FE0A154AFBED15F964515DD613BDFF6927AAD440A5F5CD698580E8EA548875E9
                                                                                                                  SHA-512:62DF45A06C008E0FEE7D5C40130C04548A69EFC501A1EBF6E06C040967DC5A75BBFCB11F2A5F417740ECCC5AE9BE84560C263D080D7BBC5881967FCD8DDBB80E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ...............................c....@.................................0+..O....@..................0(...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.859839841612763
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:b6NxhqWD4W52ANyby2sE9jBF6IYiYF8pA5K+oCGUHFAybofaz8MC:6IWD4W3Nyb8E9VF6IYinAM+oCM0Tz8MC
                                                                                                                  MD5:F3AFFB9C15521C0072C36F033650A77F
                                                                                                                  SHA1:CD6167209EE2BE9DB10BBAB5B6FDEE5DEC9ED8AC
                                                                                                                  SHA-256:21D64B5811FAAF215AD863A9F1B164240F235806D51751A6CC0684FEC1AF54C5
                                                                                                                  SHA-512:656899E1F92DE6B3141B7FF59B695AE3EC047B7EAA0549F79AC9FE6C0E70C8F8CD4A52E2FBC0DEC85B61598A9241FB6DA32F17A08064C21FCDF1E3747CB24D7E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..@...............0(...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.787615206970784
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:oW2KxVSWzQW5g3Nyby2sE9jBF6IYiYF8pA5K+oCGUHFh/JZlpi2Tr:HMWzQWONyb8E9VF6IYinAM+oCN/Jc23
                                                                                                                  MD5:74CD47CCF9A23509EB1925949117C7D0
                                                                                                                  SHA1:BB4CB6FDAA42DA65C8BD6CA583F981F5B1A30EC2
                                                                                                                  SHA-256:565175621EC7C5E2DC1E4FC10EA7A191D4AEE273AAD9488D27155BCA8D9326B4
                                                                                                                  SHA-512:E53CE1150EF7E0DE8514CAAC5745D8A9A7F529D2E3A5DF770F6A52D6A8FB1782A88A400A15A48AAEE2197AE7CB9E57A4C59CECE7FBB1A1D684F2809A1FE81CB4
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ....................................@..................................)..O....@..@...............0(...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16432
                                                                                                                  Entropy (8bit):6.724837659990903
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:pxDHKWAMWeNyb8E9VF6IYinAM+oClPK4N:/D8wEpYinAMxCVB
                                                                                                                  MD5:2A13C29EFFE6FFF14E834DCCCE11363F
                                                                                                                  SHA1:CEE6B6D5A120B3D9F8B3AD23631D030589297A2E
                                                                                                                  SHA-256:263E679510015DC47E8144298801B83A2EB2B54683E8CB77945F7CE7CFB8AF6F
                                                                                                                  SHA-512:757FF7D240E3E2A056F55BA9FC0CB75C6592796F5375C90BA000DD929347AAD5A9817C1F4048C2E716E3171118F2117134245A6ECF2727DA5544580237AF57A1
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...............................D....@................................. ,..O....@..................0(...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.832344368002849
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:hLNBEW6pWpNyb8E9VF6IYinAM+oCdT1qehj:hbMmEpYinAMxCpl
                                                                                                                  MD5:00DFB3D21000CE6AB0F0943E4A899A1B
                                                                                                                  SHA1:ECF0E793679AE3C510F9DBCCC10F8837A084072E
                                                                                                                  SHA-256:AC56ABBA06CC073A1C99DCFDC7511CEE96C69C5E2074DC40832A3B728DBA35C6
                                                                                                                  SHA-512:92240772F48D6B823920EEB4979746D44C8C8F443D979C1154F68BF4E6E107C97145BFC872B6B2863581E34BFBD9FBE1B30251471ADBA08CF8C2C7C12E4F12C9
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................[.....@.................................D(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.886146240522453
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:+KkHKW/tW7Nyb8E9VF6IYinAM+oCkNKuT/Oeuy:DuMEpYinAMxCWlbN
                                                                                                                  MD5:D8069A40382EEBF69DC58E4C4C4C9C55
                                                                                                                  SHA1:B61573C5F26F0E8B1CDF4ED2BF8914664A0CBD34
                                                                                                                  SHA-256:F9A492EA7AF7A8A965F64BF08113412EFF8B063569D60078ADD7D786B266149F
                                                                                                                  SHA-512:AAD64D250A97FCB30D79E7A9D700D716D73386F0E976A19530CB896E662C2F0492737EF96C7B878E3A27F6F195DE109805DA4A4063DA52C4ADAF5B1030837EF7
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................5.....@..................................(..O....@..`...............0(...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.834800241318689
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:YLnfIWqrW2Nyb8E9VF6IYinAM+oC7Dq1bDlh:YDf47EpYinAMxCgbhh
                                                                                                                  MD5:D5A14374A84846521F535F655B08E291
                                                                                                                  SHA1:B6ED9DB545D383FFC649B129CC976D8C3ED3D62C
                                                                                                                  SHA-256:EE04FBA35F24880E5611FE71954EC563423CB7661DBE85332B39B708227845E1
                                                                                                                  SHA-512:C555680A58BC989285ECCFB8E60F3FC414FE9FE343A4D0390C7FFECF1D5211AEB262D76BA711BF7A2981E457B2F6929281E543FC5EA569BD76672673D1DFD0AB
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................Q.....@.................................D(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):17968
                                                                                                                  Entropy (8bit):6.674121027050591
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:gh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBAv:gy9eEpYinAMxCAq
                                                                                                                  MD5:CD0597748B58BAA0987F04AAC12C49E6
                                                                                                                  SHA1:C22646FBAA464576A9308490E9A485128DA6E233
                                                                                                                  SHA-256:8461BE14B848A3ED24377316ECF0BC8F3D94589D26480D9E32B6E3722732CD6E
                                                                                                                  SHA-512:A93DE89A5790D8F0ECCF3C260F23C3B5E1022244A88EC59DB9D847CE307AE5AEAFE15FE0A287E590CC9E8175042B224B4FD78A79568489E6F7FF70209976DFE8
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................V....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.813554018350934
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:Ena8WK1WTNyb8E9VF6IYinAM+oCY4YN50:Ena0oEpYinAMxCy0
                                                                                                                  MD5:AE46262D6F3C39E7567471D863ABB7E1
                                                                                                                  SHA1:1DF6ABB19DCE6E55138BB1E435BC64B20F106339
                                                                                                                  SHA-256:0407F8AE6999185D868F49FDECF2131D217481B28A98F8E21B7877B2608C1000
                                                                                                                  SHA-512:ADA27E97F729E084AFC1A3881A298671F003A2EB33EC73A6EF02BBDA95524C487088E4E87256AB2A1AFBC879D1B3CA478EB07495E160F0123D2DFFA9EB0A3FFE
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ....................................@..................................*..O....@..................0(...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.765789192823512
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:RBSWITWjNyb8E9VF6IYinAM+oC3mR6WAAW3a:R6eEpYinAMxCWRgta
                                                                                                                  MD5:D8684391AF95221BBDEDF477167ED935
                                                                                                                  SHA1:FEE1AD3F56D32E015B7CAECF62EC28BBD0333669
                                                                                                                  SHA-256:9033BEE210A22A36E3F9E4B47609CEB9EE5E483DC3DD0AF3530CC08E6E5F5D5C
                                                                                                                  SHA-512:068656DEBD78517E611CF8A7C8A95675BB173AD4AD826C5EFE84374DAC76220FB53317910772D44901C59B75C932CCBCEC4862917422C6CF9CC973A7BEA87C99
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ...............................Z....@..................................)..O....@.. ...............0(...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.875547004279443
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:X88cIIWNoWINyb8E9VF6IYinAM+oCJ4e2:X9cUeEpYinAMxCx2
                                                                                                                  MD5:89494EBDBC4C195C6A95C124511F0E09
                                                                                                                  SHA1:49B916DDBC7D7C0C56AD7AC08140B843A7D62B02
                                                                                                                  SHA-256:34AFAA99089102614DECA07742DF61F913CEEF3FB71D85214D52D299064BF9D5
                                                                                                                  SHA-512:7139BB20ED7836486C70D63C0C451F26BEBC12105132CF0D1AE1F7BD5F348D91A70A500A926A376F185AFFC1DE9215CBFA564B4584528A08F20950C0A149AFEA
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ....................................@..................................)..O....@..................0(...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):22576
                                                                                                                  Entropy (8bit):6.62055244452865
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:1kUwx9rm5go1fWKmmW4oqN5dWjaWxNyb8E9VF6IYinAM+oCowX/USZ:0rmoFmWXX5EpYinAMxCbXZ
                                                                                                                  MD5:48AC77B707465BC012574E05547547F7
                                                                                                                  SHA1:354F6C91655574659EED716E14604435C9394D51
                                                                                                                  SHA-256:EAA69830D08C05D58B7EE216D1C5D1C19F69597A59D897252F3455081FAD5578
                                                                                                                  SHA-512:00030A58AB3837169DB67BE53999D7C2F6A6FA64A334A51A01F526D4D873E2B0F5A60C4C47712FB266C6752E1212EAE35E56A80104944262882E041198C21864
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ....................................@.................................PE..O....`..x............0..0(...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):18480
                                                                                                                  Entropy (8bit):6.673862225741473
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:B09bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVsz:YOAghbsDCyVnVc3p/i2fBVlAO/BRU+pB
                                                                                                                  MD5:0E6D75B6158418F0A95E6CB412CC0353
                                                                                                                  SHA1:EA67A1CA24B6824F3198CE1BC5AA58A00B12E11B
                                                                                                                  SHA-256:DE6EE529839FAD27C8024EC8B895266165430776548B78D6EFF578CE7789EE89
                                                                                                                  SHA-512:93FD7D4485009ABD8245FF347DC2FD8739488B66E54769DF5875EF3B37B5A6B1AB99ABBED462F2D0A826F4B2D3D8D16D382991488FA6B91A5CE2EDB21021CB32
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ....................................@................................. 5..O....@..P............ ..0(...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.831572533599495
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:cHYx4AW6RW524Nyby2sE9jBF6IYiYF8pA5K+oCGUHFt7kRCdU:l7W6RWLNyb8E9VF6IYinAM+oCZ7TU
                                                                                                                  MD5:FB71DB3448ADA905D419397DD27B42B3
                                                                                                                  SHA1:CD9D9F8B34AEBC429AD85E960259E61FE6EC9B55
                                                                                                                  SHA-256:263EBC2FF99DC60B5CD58B450B1A517BF24BC3A064E9396ADE4D1181A0B000BA
                                                                                                                  SHA-512:FC39FC219EA027E358F16C6903E0C4886D939F9F3D3C540AF2781AE72F3AC7056F5DA9F0C399AE312C40D822932A27109605EB8EDAB64851CF8045AC83FA188D
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...................................@.................................T(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.924286323235784
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:jI5HeWFwTBsW9Nyb8E9VF6IYinAM+oCuK9C:jI5HFwTB3EpYinAMxCl4
                                                                                                                  MD5:100170C1B006D4151D70BFAB2F606618
                                                                                                                  SHA1:C8B5516053BB65659F1DFA873A2221ACA360E565
                                                                                                                  SHA-256:B238E2ED9BE9B87579163A466CAC425DF02BA853E321E05FF9E3DE3AF6FB6933
                                                                                                                  SHA-512:33B105273E35BF8E9AA542C62AF930B3BD907F964D54C24143D872C51FFD2DCCCECF3D3053B85F775E50147BA9B554220C1F764A6B1A85DB1069447BBF5B0630
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................P....@.................................|)..O....@..................0(...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.894774524663774
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:gAJpVWbfkBnWdNyb8E9VF6IYinAM+oCnZMt:gAJpWfkBEEpYinAMxCQ
                                                                                                                  MD5:2C16F35F49CA130BE20A66BE212A533E
                                                                                                                  SHA1:91974A82002EB4D573CC2464AEF22CD0E90A4254
                                                                                                                  SHA-256:B7447B113A9EFD9D0347C3F758E3B07865C703B00218283D1A3DC77D0A270D3C
                                                                                                                  SHA-512:D410689278E308D73ADD384F50E9DD0BE10268EC9C09D73268467649BE48BF4E51B8FD00A288A3729D34D6817B10A18012889855B8BCFED6FCF232EBF02A49DB
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ..............................N.....@..................................(..O....@..`...............0(...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):21040
                                                                                                                  Entropy (8bit):6.5401063533970465
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:H8R71h7yzt94dHWFgQBVWeHWFyTBVWMNyb8E9VF6IYinAM+oCRNkQ:y1dyAqgQBfqyTBjEpYinAMxCd
                                                                                                                  MD5:86C2CF8250170A56EA417E1BF13672F2
                                                                                                                  SHA1:DA672A37C886FEC030EF542AB9132C2ADBDDC224
                                                                                                                  SHA-256:033A22044A5922C19DC170DD18F9271BDDDC0C767ECD4184C8CBCA252B82BC33
                                                                                                                  SHA-512:AFB4AAAC45C6126948FB28084610C26DD08DEA153EC15A5A1F5A52F2A68F44AA579ABDAB8E935D6E5B27E58685FED2A58BB439C30AE2EF78CE2CD2D8670BBDA8
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ...............................q....@..................................8..O....@..8............*..0(...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):18992
                                                                                                                  Entropy (8bit):6.680985479092326
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:IpsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWUNyb8E9VF6IYinAM+oCZ8od3Q:qsPMQMI8COYyi4oBNw4tBEEpYinAMxCe
                                                                                                                  MD5:89EACA9913DE5A262131748A8FBA413E
                                                                                                                  SHA1:711C34F847E09B820D857ABD3D1A3FF054B10978
                                                                                                                  SHA-256:7C35E1A3F017DA51957052CC39E02C28CBA1F36F6E46B35529FE8CDDABE1C9CB
                                                                                                                  SHA-512:CF337FC86DFAE20266B47F276E38BB2434C1C8A674C4F37D29BE5473A341F97C86C01368161318DEF155CE46DE5C4C5750F90B228D62866FAA61F4A413FC3FB8
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ...................................@..................................3..O....@..............."..0(...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):23600
                                                                                                                  Entropy (8bit):6.319697338021789
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:xbhigwLAuZtM66g/Id7WVXWwNyb8E9VF6IYinAM+oCdTuuO0:xbhzkKs1EpYinAMxC9O0
                                                                                                                  MD5:6E381132DE152A3475E305709D23D4AA
                                                                                                                  SHA1:A44AE3A6050A6771B6A6A7EEE0CC03B033B2758A
                                                                                                                  SHA-256:A4AE7B340B49695889BA3893D49F26B645E3B198B21DAAC7BADDC22C9CDE4D6A
                                                                                                                  SHA-512:62804A7FE51D980D9D4329CBC620B52CA247254C63D280E58D891AF62C74B2C4527A8C01F12DEE0C0D7BB92B44F23CF2F2BF0EEAB19A79A307DD36EA2049E31B
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ..............................q.....@..................................G..O....`...............4..0(...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.86777742071565
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:QUcX6W9aWmNyb8E9VF6IYinAM+oC7y5BZ:QUchSEpYinAMxCY
                                                                                                                  MD5:B6F47697E2167ECA90DCC729460FAD0D
                                                                                                                  SHA1:0B093E1D3F362686E7670F5D5E97AE39D1A688C2
                                                                                                                  SHA-256:EE59B35346BB964F045938C42F36B31152FFE0448FB7C0F47A8D4B8F3F00223E
                                                                                                                  SHA-512:CC251146A799A924FACD7763AEC15422518A1B311F1151A8388D45AC88B20916B2AF476E1B56E7563A0CDD6AB0D32FAF980A56A64988C0AA79F87A6B33FB6F02
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ..............................W.....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):41008
                                                                                                                  Entropy (8bit):5.952082983895029
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:eoBj7kS+8mjvHTeaWKs0Sd4eerEpYinAMxC6:lPmb9WKs0PeeE7Hxp
                                                                                                                  MD5:C918A56C8019B355893017E80AA011B4
                                                                                                                  SHA1:6FB6750CC0B061EBD8FE514761C9435A640EB3BF
                                                                                                                  SHA-256:084EED4F8A3DB18429152AC69707170EE9699473197B268FD50286A62F11AC41
                                                                                                                  SHA-512:0211A760A2A37A6925C46D243653C0229C9F30C7AD0CE25B2D8ACFCB6254409E7A883DE37AB3BAD78B188BBD4A4B03724834ED8FD3F230C730D86DA5044A832B
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ..............................o/....@.................................u...O.......8............x..0(........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.893731616710799
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:vTI2pWPzWKNyb8E9VF6IYinAM+oCWxypjhJ:vE3bEpYinAMxCppP
                                                                                                                  MD5:F65144928C3B53C7947BB102E1288E6D
                                                                                                                  SHA1:E7EAC99B2314CCA19696CA438E44CCDAF9013737
                                                                                                                  SHA-256:BA06A4E711707C8644BABAB2D36414EBF44BE0ED43E2C0EBA6970AB8B42FCF86
                                                                                                                  SHA-512:CA41E3E9AA31A45995A9E4C315ED6FC6D4195242C5476407224894FAD4BEC056116D5FEC1BC1492B4E0096A7B6969CE02D711192A46518AB0AAEC12F46623F38
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ....................................@..................................)..O....@..`...............0(...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.912028776126427
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:ucezoy4W04WFNyb8E9VF6IYinAM+oCm/N9fw:uBzoy+DEpYinAMxCm9fw
                                                                                                                  MD5:2A34E7463FF6CBFEEDE44DA8F342B92E
                                                                                                                  SHA1:26F6D4E4D597F8861A706F4C7EE8D140A46C7BD1
                                                                                                                  SHA-256:3F8E7F6F16EE6782CA2F7E95BDEA4948748A7C1C6D97DD8879543AD775247533
                                                                                                                  SHA-512:D39E991937ED94F77FEAF88667374FEE4E0CB9FA7223D0ABF55898B451E343E8AF28175BCFD70C93E52C501E61918915E1D583C7E565A3ADA955E6EB7917AA34
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ....................................@.................................,)..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.795128333926592
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:c/gHWexY+WKpW5ryNyby2sE9jBF6IYiYF8pA5K+oCGUHFjekeXY67Z:lH/JWKpWwNyb8E9VF6IYinAM+oCXI7
                                                                                                                  MD5:507447719CCA867D2537FE48B9EABCBD
                                                                                                                  SHA1:6F819B9EEE30EFF3229C22D1FD2D8E05217F678F
                                                                                                                  SHA-256:E17A634ED5046725D17C458C88AE68E182AD084376AE0A513B2EC435DB22E0D9
                                                                                                                  SHA-512:BB6177865C0FC675CD1DDA9BC4CA2C426DDD4BCA987D36A1EB98E063DF6D6DE334723063FAA2AF77A5022D55719C74F5A7264F100B11B2482E75E78400A2FD9D
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ...............................D....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16944
                                                                                                                  Entropy (8bit):6.743765550669376
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:rTjbocNsWMhWbNyb8E9VF6IYinAM+oCtLwE:DboYy8EpYinAMxCtR
                                                                                                                  MD5:46646113A8671C616E570AE130191375
                                                                                                                  SHA1:34EB3F3285121040C65F124828FB22C57FD45F4F
                                                                                                                  SHA-256:F42B0174884859EEC6DA1E8B30141E19F600AE4553D039924AC0DAD4E1841CA8
                                                                                                                  SHA-512:855CE45C8115555D0BE7F945CCB77D7D8CE05DE1472F4B0D4CAD8535B92550E4D00901F10078DE81E10FDC0FDAF1D7E10B14F4489E671BA271F1C72D507C76A5
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ...............................&....@..................................-..O....@..................0(...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.843952558952105
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:xSKiWIhWCNyb8E9VF6IYinAM+oCLp8t2l:xSK8FEpYinAMxC9f
                                                                                                                  MD5:81DFF20248F2B19ED960B2E53C49691A
                                                                                                                  SHA1:6117702986558F2352E9068417EC6D5085835EBD
                                                                                                                  SHA-256:10EBD20E59BE4977CA2E8E92FA14A2D115D73371B4612C09E2679B1EC026C9F1
                                                                                                                  SHA-512:F9BCA3BF3560AC6EBD3E7A53AF29ED0389E71780D68DBC19503418A0C5E524C592FDFF95E7B8714DFC0C438CA5264BB31F66A57722EBD80D9C08AA0E1864A415
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................R.....@.................................t(..O....@.. ...............0(...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16432
                                                                                                                  Entropy (8bit):6.791455106805695
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:i0KbZWApWmWTpWeNyb8E9VF6IYinAM+oCkp8t8AJ:FKRylEpYinAMxC3j
                                                                                                                  MD5:C46F83097836817F35C876B17DAE8730
                                                                                                                  SHA1:147BD9C6C2211559084EB1F1B1C9D6A99D6E6C06
                                                                                                                  SHA-256:0584979D15B684039D5BA5AD34EFBC674792A213AFD2645DEAF5F23D02679E22
                                                                                                                  SHA-512:BDF759C71B8154BA7370381DC4910352F76903E063BD6E112EF4454E2E5382AAC6818643928106600AF771CBB60ED6B919DA5C1341C0074A5D2063E119F823FA
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ...............................`....@.................................>)..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.874748396830931
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:+b1nWCXWzNyb8E9VF6IYinAM+oCnY3lWx:A7SEpYinAMxC1
                                                                                                                  MD5:7D700D3B38D8DAFD0810CD4876F9FD83
                                                                                                                  SHA1:B4F61E58BFB4F3749DECC8B346B07177C9627CF1
                                                                                                                  SHA-256:D2CC735515202BBA87EF740A93276C74E0FE2BD88BAC18EFC7D8DD74D76D381E
                                                                                                                  SHA-512:594A2A91060036416ECCA8FA7C3F70AA46B2996A99836A36B84BABC7C8B4D99B5D844EE588A97A60EA1CD2AB96AC8A0B8F5D918917F09B5F2FEEE80B1A1C7570
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................O@....@..................................(..O....@..T...............0(...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.779188885791948
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:cNc6cYxmPlW7TW5KhNyby2sE9jBF6IYiYF8pA5K+oCGUHFFr9I+Rtg:uTyW7TWWNyb8E9VF6IYinAM+oCRr9vg
                                                                                                                  MD5:0A454F3BEDC63C21C6ABA90E35E80C06
                                                                                                                  SHA1:A31F2F6C213CC5381576F4324FEF98CCBFCA4016
                                                                                                                  SHA-256:8586A1D14998B33519E683C58EC2D2CD68B94DB7BC6D4D6EC290A36AC248E50F
                                                                                                                  SHA-512:BBDD88FA84D631B88DF7F11AF7EE0BC08F3A0E2B2A850ACFBC0336A394354697A7AB54002839D29D1DF4BBC388C16F3031ECB165FD147346BA18634CC301E9E3
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ..............................=s....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.909257187752604
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:f6Rb32WVzW+Nyb8E9VF6IYinAM+oC0Bz9:iRb3dfEpYinAMxCy
                                                                                                                  MD5:DC8AF98B3AA43EC27CFBA21DC2292837
                                                                                                                  SHA1:69CE0B481F2B49643CB946AD02A90812B0A7EA19
                                                                                                                  SHA-256:EFA42933DF41DEA9FDBE6BE37912770D3E8C3869961460E9534D645A7677C40E
                                                                                                                  SHA-512:9FC0DD720AC089202D638743A0F5A50388DE3162177320B56508BE69078073625CE626BF853FA0D87EAF76A4BEC4167235EBF9886FE5E3041643831D5E233613
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................g.....@.................................t)..O....@..P...............0(...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):31792
                                                                                                                  Entropy (8bit):6.537621622428481
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:mu5I+sqOylryry8qqIfUc7a5FEpYinAMxC1xHR:mYIVBpry8qqIfUcm5e7Hxof
                                                                                                                  MD5:F52348F4F20D6E7D869376E16E61F4B4
                                                                                                                  SHA1:DC6D2D361FEC63C60D3B1FC94F1202407DB5BE90
                                                                                                                  SHA-256:A3DF93074CED87596A7A0006347854135A1D223CC495D31B33554B013F5C58A5
                                                                                                                  SHA-512:34A1AA5AE037924DBA14A4F885F6A440B7B7027C94ED63674B74199D012C65B9C9419598B696364254F7635B2411E29C1B7AFFA423D91CB0414E1BB5DE6D6CEA
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ....................................@..................................c..O.......x............T..0(...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.875852056465243
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:Kvn4HREpWiQWRNyb8E9VF6IYinAM+oCeWDgL8m:FSLEpYinAMxCZm
                                                                                                                  MD5:F267535EE36B8534C17EC699A4794D23
                                                                                                                  SHA1:9F1636C48D07EC6F6D41F502EC6C34D1CB366A73
                                                                                                                  SHA-256:8F8FF68F8F9D9B0B5535F299ACD91760B12B04DD0F002A625CA37BC1CAF5F30C
                                                                                                                  SHA-512:706281AB412C1683064C19CD710D38168090F3B203A361F5F7765DD7E4D6A7830E785506D852A1CE12CD28C195BBCF09075A9611F41F38170E31D34ADD029DF5
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..P...............0(...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16432
                                                                                                                  Entropy (8bit):6.77448448889411
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:Y8MjKb47T3UCcqFMkJ59WdtW0Nyb8E9VF6IYinAM+oCov66o:pMjKb4vcGdOfEpYinAMxC+o
                                                                                                                  MD5:C2F1630FC88F44DF3AE9B49BC5B7749C
                                                                                                                  SHA1:3325347B005570126D474FC6C87D670E82C14BC5
                                                                                                                  SHA-256:7A3853809A234072CDABB87AD1DBFB8C6C49BDF55F2E29883F1A7860AD2B302E
                                                                                                                  SHA-512:6A56651089A71E995BE977B734B970BA1BB3FCCB9E6D2646D6E7F05BDBF00C7EE635A2A9A4480A18A6DCD1669B7C1B58E15BB1E9315CBDFE0EF8C2BE0E73DF63
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ...................................@.................................`,..O....@..................0(...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.856668488122503
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:vzyNXd4+BW6FW9Nyb8E9VF6IYinAM+oCDYhbhG:uzKEpYinAMxCc3G
                                                                                                                  MD5:B679DCEC9760E87F0008D4F2F2330541
                                                                                                                  SHA1:04990E4E550115CEDFCDC3CB6ECFC9C210EA0A65
                                                                                                                  SHA-256:612852589918EBDE806FA392DF3C69B401976240BD3C2FD3CE9ECFC32C4CA783
                                                                                                                  SHA-512:C5833E1E545D012B43F2C8349DFE70E16DC3E01486F0A11B7FADB93A26984017B704AAADBE743CF916F6FD0368977E98D5E761EF64456DEF51F717BE4270F7DC
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.8620326999031915
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:gvs2Q3HKJNrWWRWS6Nyb8E9VF6IYinAM+oCm8ZrH:guMmEpYinAMxCPpH
                                                                                                                  MD5:A2E040D009F3E0B869B6466665F64E4B
                                                                                                                  SHA1:CF5F9D94C7E0A604A0ED4221AED05CDF13265E83
                                                                                                                  SHA-256:1FC703C161A30E623DD7AD1C9E6D5CE2DCB57B3A64ED258D3E100A718FCE9885
                                                                                                                  SHA-512:7116E91C9605669F5746D34E38B637C621EE5B0F93528B5F1B14004416E3ABCC00B5E9B9C937970104D9AA4B3D043C37811ABD47C609D29CA30DE9E5689F11DF
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..4...............0(...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.829858302949805
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:iFz0Q6gcqRhcsMWdMWtNyb8E9VF6IYinAM+oC9Jtac2Y:iFz1c6jEpYinAMxCLN2Y
                                                                                                                  MD5:4D5C5C3571C6FC162E5F2386B4350933
                                                                                                                  SHA1:1E8E9426533863991A81C886D294186275D639F8
                                                                                                                  SHA-256:C2E38BC6156537A6177B199F99F074D6B1EC46F6DE82004B11CCF3F07F13448E
                                                                                                                  SHA-512:F5433FF6422E8CFAE794D84EA4996AC1A284B3A5B455028BC296CFA14EEC1D7E66FB5D1A741C7EEC32A94C0D6F30CA1A746BF13A1AD5180428AEC7E93FE29EB1
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................8.....@.................................L(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16432
                                                                                                                  Entropy (8bit):6.7233141405495465
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:y6xWA3W4aW/NWgNyb8E9VF6IYinAM+oCIJ8+:yaBbEpYinAMxCs
                                                                                                                  MD5:17A8D0B92AFE0AC51D0FC1B099A10E79
                                                                                                                  SHA1:E4FCA15B61A4F453C6C04214B9392CA1952811C5
                                                                                                                  SHA-256:64F8EAB6554162F3BDA95CA44402C1CD470E74E236E6C7C9A2B594DE0613CD15
                                                                                                                  SHA-512:7E53167BEC0B758C74F6E1DB22A495843C921320BB5395B505847F81EBF17D541D06429DD3FAA066E39438EFC9CA1A0BFBA0FF11CACB1DFC978AC4C40A13F24C
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................9I....@..................................+..O....@..................0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):73264
                                                                                                                  Entropy (8bit):5.954765148782394
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:7784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRvc:77N1r9KGI04CCARLvc
                                                                                                                  MD5:B0198470EB44D27E51D9F5818F4B26D2
                                                                                                                  SHA1:828733ACEC782256A947FBFC0C039C1AE9F075AA
                                                                                                                  SHA-256:C9AF9310D3F5DCF8B999AFCBF78B864ACC8B974F4F5B12ED3945CADBE7785082
                                                                                                                  SHA-512:7D0337696D05516DA8203205515A3E6CB081C3EB8BAC1606903F2DF239D3A44771E1FF031B7FC9E67B85AF23D8DD04B3AF7670BE8D8393CD5EB0A8A4F8E3B922
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`...... !....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.854248517746036
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:mr97WquWeNyb8E9VF6IYinAM+oCkp9R3Wbe5:mRJWEpYinAMxCedKA
                                                                                                                  MD5:341CD9B332F24C4C7E53531164666F9E
                                                                                                                  SHA1:A07A58F26C5FBF41DA3456CBDC796ACDA69B2EB7
                                                                                                                  SHA-256:D14874711A9DB1FE279F759780AF2D75CFB24AEF27CD2BD7C7EA984B13B41807
                                                                                                                  SHA-512:CA4A830F7733BFA4F734C406136B60539D7C7C842E4606FDE04594792EDFDC70A55EE23A182EF38CEF473D5003F6FB5846DC7AE26A85F98CCF013FF4E6783975
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ..............................9.....@.................................\+..O....@..................0(...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.794085088631407
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:R16eWLDW1Nyb8E9VF6IYinAM+oC44iq5k:z6LIEpYinAMxCqq5k
                                                                                                                  MD5:6F9FBDB014EFE1DB688C627EBAC7D417
                                                                                                                  SHA1:3C574F015D8D8D4B518A3046ABC740868A067CEB
                                                                                                                  SHA-256:C2742EA58FE3BDBE6FDC70EE7902E4D17FE701EDB8C4F2B5320C2D68C84C0C5E
                                                                                                                  SHA-512:AB35E8F5EAF790E4D3376F3CC48CE110061042C9860A0EE7713070A4B8F81E0311BA1448257D69712C8858F367270FA2B3E64CF2BD62CAC645B35AA425CACCB5
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ..............................."....@.................................|*..O....@..................0(...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16944
                                                                                                                  Entropy (8bit):6.786517559975683
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:l8G4YC2W+wW8WpwW3Nyb8E9VF6IYinAM+oCPVmR:qGZ5ZEpYinAMxCQR
                                                                                                                  MD5:684BFCEDF10E7B1C8DADA304444168BA
                                                                                                                  SHA1:A8F418C33C7A1F874546B66CCB565F0FD44FD7BD
                                                                                                                  SHA-256:D566DD2D463213EC388502E81F4918630642C1C55EFEBF4E049E528757CC7C3D
                                                                                                                  SHA-512:95EA23DB7A555B9B2178BBE52FD79C16E4DAA6874F4672A9D855CE8D41B4EEA5AEF7DBA5298C2447B916FEE99414F5CA896E3E1FE53DDF42C74A95DC898D7516
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ....................................@.................................z+..O....@..x...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15408
                                                                                                                  Entropy (8bit):6.898142113844479
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:96ziqTEkGWvRWpNyb8E9VF6IYinAM+oCKPITS:9YT1yEpYinAMxC0cS
                                                                                                                  MD5:73F2E9747A6A2B63D1113DF842EF2255
                                                                                                                  SHA1:727586913C26BBC7B234A157A7C1B9515D14BF7B
                                                                                                                  SHA-256:DAB74A74DD09058C4CE7BD87317660753E89F651E95B780C867AD210B455CD29
                                                                                                                  SHA-512:048F3C1AFCF5AE4CAD212A4749A7BAE5500DC859FF1A9599CFCF9632CD7581782EC517992D4F00D540AF510AA2D5595634691355EC300873ED79901B229EA484
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................0.....@..................................)..O....@..................0(...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.809623495878564
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:VUv7c7iWNCW9Nyb8E9VF6IYinAM+oCILeq7/:VM7c1VEpYinAMxC0R7/
                                                                                                                  MD5:E2229C7506DF972C642D65097EB7E8CE
                                                                                                                  SHA1:1063EE34789DAC1D81239B4F1E50BD037E017F9B
                                                                                                                  SHA-256:7E57A50DCD9DE1E3312EE74E967A9993EC61E4234A2CB8503B4BED9E817093D6
                                                                                                                  SHA-512:C9EA65CB82E766439266D11DC9B2D6C055C56BE4C35EBBB7960F15BE766D835C75F38E1437F3B1103E16CACABCE4BC5CCE9A13A5641F3335B4A2096CA01117F7
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ....................................@..................................*..O....@..................0(...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):15920
                                                                                                                  Entropy (8bit):6.853233808770002
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:Th+vxmNWnRW5x+Nyby2sE9jBF6IYiYF8pA5K+oCGUHF8C8cosq:T0SWnRWmNyb8E9VF6IYinAM+oCIvsq
                                                                                                                  MD5:D3292C8DCC7F14ACB5D84354BF301DDD
                                                                                                                  SHA1:832FABE728E43F6AA4C0C005F52781C1EF6319D2
                                                                                                                  SHA-256:527D1729C7BC55FDC88771FB13237CBD9D78DA0023997E854FC723C3C612686E
                                                                                                                  SHA-512:ACBDED154B6F3A0EDB74B22EEA44DCD3A4F5610A750FE7291437D8144EA9D75BBFCAA58156CB4328EC16A39D3E141D71B286D4A977092E7E59DF693AFD73DD01
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ....................................@.................................L+..O....@..$...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\log.txt

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2355
                                                                                                                  Entropy (8bit):4.981528504391193
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:s6Q/s1zRs1ziVNn7pItUdSl4s1zRs1ziVNn7pItUdSc:s6Q/gn/7p7Al4gn/7p7Ac
                                                                                                                  MD5:783BDAAA208F759D9B47345B0F940D5A
                                                                                                                  SHA1:8B67DB1BCDA26C7C8750007F466E003D37358113
                                                                                                                  SHA-256:CB6DDC9176F69F6453A3DCA3B20836541690DD211FB5027AA493ED5D5AEC701A
                                                                                                                  SHA-512:304C681CA3DC0417C0FD2DFE8BFB8E6F89DDB5DEEBD8374A3145422DF7BC71C0CE04F9B83E905A9AE3978A62A552A0B2D3F436F3D5F03178B0876F8346588DC8
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:2024-09-05 11:24:08.0661|ERROR|AgentPackageOsUpdates|Error executing command, args: getlistofallupdates..exception: System.AggregateException: One or more errors occurred. ---> System.Runtime.InteropServices.COMException: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it..... at WUApiLib.IUpdateSearcher.Search(String criteria).. at AgentPackageOsUpdates.OsUpdates.WindowsUpdates.WuApiService.GetUpdatesByQuery(String query).. at AgentPackageOsUpdates.OsUpdates.WindowsUpdates.WindowsUpdatesService.GetUpdates().. at AgentPackageOsUpdates.OsUpdates.OsUpdatesRetreiver.<Get>d__2.MoveNext()..--- End of stack trace from previous location where exception was thrown ---.. at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw().. at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSucces

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):92720
                                                                                                                  Entropy (8bit):5.483627118870135
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:B2Ec05j4eAH64rh5fSt5T9nFcI94WX7Hxcl:QlK4eA7mDmWXKl
                                                                                                                  MD5:17B53AFB0FDB248CD2ABE749065B8801
                                                                                                                  SHA1:C314274B96EC31B3FB668598F55675B2D8169965
                                                                                                                  SHA-256:2B58002EECD2A5B793CC63F363189EE0FB78D654A63955FF09A0D38B5D04CCB6
                                                                                                                  SHA-512:FDCF6ABF40F4B6CE679E1F1EE54B1A6553445BB885A97666220461FD3601B949A8A2E98C3075A442D2A7497204CBA55BD5F0F9BC2830CAE0A801E220E28E64C9
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ...............................c....@..................................U..O....`..,............B..0(........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2725964
                                                                                                                  Entropy (8bit):7.999917199181124
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:49152:CTP2oXCniIA/ZMtub7ID8jy5MswqKRMgcveOpQfWw840AjROyvihIUsnLY8i8S1X:2BYiZc1z5Ml5dcpvi0ryozazGX
                                                                                                                  MD5:87E0691D3B8DCB446AFF3C1A43BF53F1
                                                                                                                  SHA1:572385F4DE28C78487811FC20DBB1DDB95DD7D49
                                                                                                                  SHA-256:3E9F7558B5671E5125DA7C6C1975E49C907DF16518D899AFA7FB111526B2DA3E
                                                                                                                  SHA-512:70D8184657E4172C64D6D876D2C99553A8BFED0BA5F25C3F5AD3A381D509A4C6F75BB95F1973B91D3B2E387D7AF615ACC2930A23842EE90180B5ECCAAF74FDD9
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:PK..-......X.Y..+.........?...AgentPackageProgramManagement/AgentPackageProgramManagement.exe....0........i........4.M..s...9.CJ.%.cf...&..w....hG..L...|...T...ZI.w.%.hUa.....E^[........mt.~...........,..k...DnN.(..6.K.1..8...!..J.u..............s..b>..z.._..`.Dr.mbW*.f..P...Xw.?.....O".9..l.+.r.0.K....t..g.....V.'..lDL.\.....o........-Ay.Im;D.;.7...H....Qo...a.lg3w..9....i.yI......V!t..V.... .cuB}....C.#.....*........[U....K.t.~F.&Y..+H.p..8Y...a(.{...3Y.....@.E..S....$.s. ...V'.U.....L.......s.r|.-u...7"I3.ZM....Sh.W..-...0....+sY.j.K....z.Sx.%5l`e6.D`...M.;S..T.7....).g....P.).m.&.....y-.....Y#4.V`j...;.........U....u......X.n!.s...x...b..P.\kh.R..t"..h.M.L..,.}b5...^.H.B..:.........._...^..{..!..s."......._...JQ\bkPc...._.E...i..c..x&]r3.".T6....R.....S.]..v..j....RU./..R3P...C._..K6D.d..?....'S.u.Q.Kv..3.+t....#R.. )......<.o...H'.t...,..T.l...q..l*..\..r..w.f..Ue..}A....!....3.3.S>.....p.1.T.yv) T......r......d....;...]..t.#O..5.@......

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):53296
                                                                                                                  Entropy (8bit):6.250578884773528
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:7AKn1qFDGSB/5mT+iZ7qVl91fXIux6HtaRtYcFm7B6KfEpYinAMxC6NO:MKn1qFDGT2Vl91wk6HsBm7BlY7HxA
                                                                                                                  MD5:6E034C46991A649567D61B8124D6E59F
                                                                                                                  SHA1:521E87BF75E0E17F6F9AD7805C1BABB0C546B97C
                                                                                                                  SHA-256:BE13A7F910F96B492C76A52CCF52E1D800BBDA00236827DCB946759427650254
                                                                                                                  SHA-512:C8B5B78674250B1935E8C9BFACFB58318C7541601BDD8DA64A388775C743C107900C8699B21838E87B323ABA5D2451F94255CA11FB26B5D23C74289E89FE7520
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w.f.........."...0.................. ........@.. ...............................2....`.................................d...O.......................0(..........,................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......0N...a...........................................................0..........(.......(....o.....(....r...po....o......o.....o....o......(....s........s......s........o.......*..,...o .....,..o .....,..o .....,..o ......*..4....W..b........O..n........F.2x..........|.........{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(!...*.0..K....... ....(".....i./.*...............&.........K...%.. ..o#......r#..p($...,.*......s%.....s%............r;..p(&...,/

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):776
                                                                                                                  Entropy (8bit):5.037356665456624
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:MMHdGp2VYF9LNFF7ap+58hOf/2//3QOFip+5v5OXrRf/2//FicYo4xT:JdszvPF7N8OH2//3dVhOXrRH2/d9y
                                                                                                                  MD5:336CAA70D9EF388EDF8B234E5FC40CEE
                                                                                                                  SHA1:864CCB7643FC99313E5ACBEB59D608CD179E01BB
                                                                                                                  SHA-256:9BB07566C5CEAF46CFC1164A63553BB3C00AD8A04138211C6EBA81B60F4FE355
                                                                                                                  SHA-512:EB037FF55C7D61A4170A9143B7BA40CC43DDBC9E8DF673D7AF03548C27C4410F53A5CDFAFE8942559B9E5061419512F3C8FAA5A6D32ED147DD33F832CF43E637
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>... <supportedRuntime version="v4.0" />... <supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):12
                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:WhXWo:WBd
                                                                                                                  MD5:C91AF97F5D31DA1F8587189542A14906
                                                                                                                  SHA1:7A552C0BE3A8C7B82F5FA83FF78ED0FB0B9457C2
                                                                                                                  SHA-256:A64001C3764D8F56723ACB78FE86FAE386609E98F61B7625A7419C58E2B55316
                                                                                                                  SHA-512:CD2AE3F50BC7E33954ACFCB4A3DD97241A820592A90657CE9B2380E869EC192E719CD69475422B2F74156F409D0850C56B21A4C8D1FC643BC7DD8DA16166A5E4
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:version=23.9

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):96816
                                                                                                                  Entropy (8bit):6.1809368759805565
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:fJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJd/50vks00UfafgVU7HxLW:fQUm2H5KTfOLgxFJj550vksVUfhVUhW
                                                                                                                  MD5:E5A53B1B8DB89B3965134FE3CB8DF7B0
                                                                                                                  SHA1:B7661710B26F04A4AF6E530085BD9EFAF507A31B
                                                                                                                  SHA-256:4DD785220EB7EB9F8114AA8AC125649EB7AE79685A7A9A6F7819B7C1011BF752
                                                                                                                  SHA-512:266281D307ECA1F2107CC2A71E0B4A1A7105219E74F4FAA0CB93C791FC0AEACE28D41A541755078A72F1EFC2A9B6AE50F4C84F334080DAC129D9FC99022456B2
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..0..H..........zf... ........... ..............................LQ....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):670
                                                                                                                  Entropy (8bit):4.870186870231866
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:5lh3rwhI4IaMFj27/tUYCQpU0E+dqo6rHQknd77psLlO:l334IaJUuU0E+QHQk17psLlO
                                                                                                                  MD5:B4ECFC2FF4822CE40435ADA0A02D4EC5
                                                                                                                  SHA1:8AAF3F290D08011ADE263F8A3AB4FE08ECDE2B64
                                                                                                                  SHA-256:A42AC97C0186E34BDC5F5A7D87D00A424754592F0EC80B522A872D630C1E870A
                                                                                                                  SHA-512:EAFAC709BE29D5730CB4ECD16E1C9C281F399492C183D05CC5093D3853CDA7570E6B9385FBC80A40FF960B5A53DAE6AE1F01FC218E60234F7ADCED6DCCBD6A43
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: Copyright (c) 2017 Chocolatey Software, Inc... Copyright (c) 2011 - 2017 RealDimensions Software, LLC.... Licensed under the Apache License, Version 2.0 (the "License");.. you may not use this file except in compliance with the License... You may obtain a copy of the License at.... http://www.apache.org/licenses/LICENSE-2.0.... Unless required by applicable law or agreed to in writing, software.. distributed under the License is distributed on an "AS IS" BASIS,.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied... See the License for the specific language governing permissions and.. limitations under the License.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710192
                                                                                                                  Entropy (8bit):5.960474505704917
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:bBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUg:bBA/ZTvQD0XY0AJBSjRlXP36RMG5
                                                                                                                  MD5:4C7831F91F22C4329B35B60687D4FC00
                                                                                                                  SHA1:3B867787EF3B6207310250EFFD192D6DFF209C9B
                                                                                                                  SHA-256:F9A13F6AD27604B8DF15F9A42203413AD211EA43D0CDB9B19957CCE3C94A3F46
                                                                                                                  SHA-512:EB33DC0A1C65934C5A22764A0A951B2309BA5F27F13CECFF91FF91E0B3C8DBC633E37BA11C55F88D24D9A584B8F1F8653AF866053DB6F468AC71C56C249ADC0C
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......B`....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):50224
                                                                                                                  Entropy (8bit):6.202750116213148
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:0SrEZvG2rO17QaCg2zJMnLVPPKctfhSm6EpDWJkBnCvZuSEpYinAMxCA:JsG2KuD7iBnzz7Hx7
                                                                                                                  MD5:5F703134E04CA2F1D499592C3A649FFB
                                                                                                                  SHA1:9B365DA17EBD8C341C37DD914B7806C55A073581
                                                                                                                  SHA-256:A91E9AED1DCE65F7A6C2D87CBA17087ECC5B6BC2BFB9955B416B81F98F9E01AA
                                                                                                                  SHA-512:A356E2A0663001407D01A5DAD533C428E495E55F5C2531AE0915C2F8127528E46D96412EF6CA1E6B1B3679CD7D7F84D2B5C4FA1B9D38306F8818BA01E4942512
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....x............" ..0.................. ........... ....................................`.....................................O.......................0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........J..|f............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..(....*..{....*"..}....*..{

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):662
                                                                                                                  Entropy (8bit):4.952846219984862
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:TMHdGzNFF7ap+58hOf/2//3QOFip+5v5OXrRf/2//FicYo4xT:2duPF7N8OH2//3dVhOXrRH2/d9y
                                                                                                                  MD5:0F638DECEBA5011AF737C29E90C20F6A
                                                                                                                  SHA1:1484B6084C8231231C7C472A57E6835B4A3EA146
                                                                                                                  SHA-256:B50494F0DDF2AC7DCFB74BAE526E74F67FF501AD0CD5B712834829DAD9563368
                                                                                                                  SHA-512:0E26D3AD25DE0FD761D4F15E714AA136C19427AA02469BE8A1D0CE639FFC398E798BA30F19DBC77C8A231FC1B849D07A88C2BDC797C9D191847663F15ECA2917
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\09-05-2024 11_24_15-log.txt

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):436
                                                                                                                  Entropy (8bit):4.905081788666757
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:pem717f8PV7U0WCRFPem717f8PV7UO+fo6BNVB:pVR897eopVR897N+fo6BNVB
                                                                                                                  MD5:9683C2504D40159F61B3959C0A32CFBF
                                                                                                                  SHA1:8C48078C62E591E0AC0C4DC193C34549E3F68B9C
                                                                                                                  SHA-256:60ADB7E66BD8BC30D38511ACBC518E75436841E92A0D794C1ADC2D80DDA795B0
                                                                                                                  SHA-512:B1B52F942383154B1B14E450ACC3122747D35032F6433E8C3D1B210E658CB65EB3B7A17D2845B0201A6013B7412BFF912B58C77A7A314AA525CFFE0727CF3D2C
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\09-05-2024 11_24_15-log.txt, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\09-05-2024 11_24_15-log.txt, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...Nothing to change. Config already set...Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...Outdated Packages.. Output is package name | current version | available version | pinned?......Chocolatey has determined 0 package(s) are outdated. ..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):6655024
                                                                                                                  Entropy (8bit):6.267134376801171
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:98304:FCMEM0MUMRMxMwMkfqbjxbSzGVr4W11ByHY4W6upIw2:9lV1qKpkfqbjeGVr4NHYJ60B2
                                                                                                                  MD5:5EF9992E5A127EB43285711E5ACBC07B
                                                                                                                  SHA1:2DB7BB0FFF5E516BC5524BB340554DAE5FF44C1F
                                                                                                                  SHA-256:4D756FCD37CD44EB88C9E349B783E8314A0460954F0507E60BEB389514E4773D
                                                                                                                  SHA-512:41B364356B95A06E7B578C16B4E5B1A4401416A850C564AEF95D050D06603D167030A1645EFD9733D822CA1D8B3DB4C7FC68CD2904D6A6B0DB3D7F72B2E87D63
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Db........... ......c..........c.. ....c...@.. ........................e.......e...@...................................c.L.....c..............de.0(....e.......c...............................................c.............. ..H............text...w.c.. ....c................. ..`.rsrc.........c.......c.............@..@.reloc........e......be.............@..B................H.........A...!.........H....3..........................................0..T.......r...p...o......9,....s......o......o.....o..........9.....o...........9.....o......*.........3..........7E......"..o....*...b.:....~....*.o....(....*....0..s........:....~....*.o......9......i:....~....*.~....:...........s.........~....(...+~....:...........s.........~....(...+*.....6..r...p(....*.."..(....*...:.(......}....*..0..+.......s.2.....}.....r...pr...p... 2..s....o....&*......0..{........o..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):9380
                                                                                                                  Entropy (8bit):4.897876021534469
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:rwhyxWvf7L6ZapbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6Z+Ht6B+WshDK2EiEJ7lEFx
                                                                                                                  MD5:9D1528A2CE17522F6DE064AE2C2B608E
                                                                                                                  SHA1:2F1CE8B589E57AB300BB93DDE176689689F75114
                                                                                                                  SHA-256:11C9AD150A0D6C391C96E2B7F8AD20E774BDD4E622FCDFBF4F36B6593A736311
                                                                                                                  SHA-512:A19B54ED24A2605691997D5293901B52B42F6AF7D6F6FDA20B9434C9243CC47870EC3AE2B72BDEA0E615F4E98C09532CB3B87F20C4257163E782C7AB76245E94
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.4508.update

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):9380
                                                                                                                  Entropy (8bit):4.897876021534469
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:rwhyxWvf7L6ZapbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6Z+Ht6B+WshDK2EiEJ7lEFx
                                                                                                                  MD5:9D1528A2CE17522F6DE064AE2C2B608E
                                                                                                                  SHA1:2F1CE8B589E57AB300BB93DDE176689689F75114
                                                                                                                  SHA-256:11C9AD150A0D6C391C96E2B7F8AD20E774BDD4E622FCDFBF4F36B6593A736311
                                                                                                                  SHA-512:A19B54ED24A2605691997D5293901B52B42F6AF7D6F6FDA20B9434C9243CC47870EC3AE2B72BDEA0E615F4E98C09532CB3B87F20C4257163E782C7AB76245E94
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.backup (copy)

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):9380
                                                                                                                  Entropy (8bit):4.897876021534469
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:rwhyxWvf7L6ZapbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6Z+Ht6B+WshDK2EiEJ7lEFx
                                                                                                                  MD5:9D1528A2CE17522F6DE064AE2C2B608E
                                                                                                                  SHA1:2F1CE8B589E57AB300BB93DDE176689689F75114
                                                                                                                  SHA-256:11C9AD150A0D6C391C96E2B7F8AD20E774BDD4E622FCDFBF4F36B6593A736311
                                                                                                                  SHA-512:A19B54ED24A2605691997D5293901B52B42F6AF7D6F6FDA20B9434C9243CC47870EC3AE2B72BDEA0E615F4E98C09532CB3B87F20C4257163E782C7AB76245E94
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\ChocolateyTabExpansion.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (965), with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):12946
                                                                                                                  Entropy (8bit):5.132019659587194
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:ctpHjcTfbZO0g2ZyAvGZkAsoXCxAziDR/67E4Pb:ctpDBCvGZkAsCCxAziDR/sF
                                                                                                                  MD5:0BB54C9DA241E0EAAFB6C976AC07EAA7
                                                                                                                  SHA1:045808C9106A4C356AB15A2D8680FDB737DC98A6
                                                                                                                  SHA-256:071CE6FCE85051E373C1B05BB82A92FFB8BEBF34C768B7A2F6E809000A78479F
                                                                                                                  SHA-512:C118C9FEC5903D1F2F6A6FA070130FCEBAAD70AF3459DA82069C5C8ED3D66CEE374C098C6247CCD528187B6856FAA458EBBD8B6F2C0C68C2A5B8EF32C2D7CD75
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....# Ideas from the Awesome Posh-Git - https://github.com/dahlbyk/posh-git..# Posh-Git License - https://github.com/dahlbyk/posh-git/blob/1941da2472eb668cde2d6a5fc921d5043a024386/LICENSE.txt..# http://www.jeremyskinner.co.uk/2010/03/07/using-git-with-windows-powershell/....$Global:ChocolateyTabSettings = New-Object PSObject -P

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyInstaller.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3903
                                                                                                                  Entropy (8bit):4.986280475081154
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:cSyL+4pGXHFKoqWJBYc4R2wf3TQJb3jl7t3iv:cSyL+QGXHMWJB7VFUv
                                                                                                                  MD5:1CF35331F337493A5B5B8C482E32B507
                                                                                                                  SHA1:149D5B5ABB4FF20CFAA333946BAAEC6B8EFA5630
                                                                                                                  SHA-256:CCF763934E3801002C260246316DF70C64C66E7721C24B300C634567F5885A39
                                                                                                                  SHA-512:03652CA25D2A78860F735B57600B940D2723DD23E24A2632D5CA76DBFACBF95CD1090428FB6AC23BF945AB20C1C201155CF26161361853DB94A5D85AE753C0A1
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....$helpersPath = Split-Path -Parent $MyInvocation.MyCommand.Definition....$global:DebugPreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentDebug -eq 'true') {.. $global:DebugPrefe

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyProfile.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1178
                                                                                                                  Entropy (8bit):5.161789340951933
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:cSyJ3554IpgyZA0SU0E+SlHQk1GpsLAjQSDg6pucReEe7:cSyX54pyFd0AlH31KoLKRed
                                                                                                                  MD5:610AD6370C8DACB3861200B8827DF768
                                                                                                                  SHA1:E6831DF0C1ADB4664BDE6D2D48DCE28CC1918A83
                                                                                                                  SHA-256:B06996C9A26663FCF41B2406D12C4597075AB7F94CDD320EEE64EAC9AEA95DFD
                                                                                                                  SHA-512:C3A30128443E47D5D38CFD8C989E8317668EEDA6B4E85BEE94B76034479DEC0BED4C980ACD797153259CF0DF2807E79C3B3F4AAADF21E255A35BBDBE2F2E16E9
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# ..# You may obtain a copy of the License at..# ..# http://www.apache.org/licenses/LICENSE-2.0..# ..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....if (Get-Module chocolateyProfile) { return }....$thisDirectory = (Split-Path -parent $MyInvocation.MyCommand.Definition)..... $thisDirectory\functions\Write-FunctionCallLogMessage.ps1... $thisDirectory\functions\Get-EnvironmentVariable.ps1... $thisDirectory\functions\Get-EnvironmentVariableNames.ps1... $thisDirectory\fun

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyScriptRunner.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2892
                                                                                                                  Entropy (8bit):5.176658574720988
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:RkBibyQwcYIRQcRwAshP5l8kRMCpEMwK/JvoPEY0nzWBIxjO0L5E8bWHtt6rh4:eiAc5HGAshhCQMChR/JsZYzWBeO85Ecm
                                                                                                                  MD5:EF32E09F41D2F8234E4482C6B52FFFB1
                                                                                                                  SHA1:446185592825F7B7894CC5A9E2FCB4F015B9E810
                                                                                                                  SHA-256:ACC5E8AB085FDD00B1C333853D74B1EC15777212A435C2DE8B56A490BE07103C
                                                                                                                  SHA-512:7273DE65F571C4302BAC73C3FA3AEBDB7887B923EABAC10457C2A2C329B67979726440ED0C5E190C7728676D9382D4C8E2F4D030336630BC82AC7AE2FB20B58F
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.param(.. [alias("ia","installArgs")][string] $installArguments = '',.. [alias("o","override","overrideArguments","notSilent")].. [switch] $overrideArgs = $false,.. [alias("x86")][switch] $forceX86 = $false,.. [alias("params","parameters","pkgParams")][string]$packageParameters = '',.. [string]$packageScript..)....$global:DebugPreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentDebug -eq 'true') { $global:DebugPreference = "Continue"; }..$global:VerbosePreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentVerbose -eq 'true') { $global:VerbosePreference = "Continue"; $verbosity = $true }....Write-Debug '---------------------------Script Execution---------------------------'..Write-Debug "Running 'ChocolateyScriptRunner' for $($env:packageName) v$($env:packageVersion) with packageScript `'$packageScript`', packageFolder:`'$($env:packageFolder)`', installArguments: `'$installArguments`', packageParameters: `'$packageParameters`',"....## Set the culture to invar

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1751
                                                                                                                  Entropy (8bit):5.27319452124258
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:cSyJ3554IpXAAyU0E+SlHQk1GpsLAKFoYlMp9TlxNAZiTxGEXL5FGX/OFchWoCah:cSyX54q90AlH31Koyh9xnFVVc/4oqPli
                                                                                                                  MD5:12E0A95C9BD0A49DA769C2927C648DFB
                                                                                                                  SHA1:33174164C23D10B43E26CEE56E1A6FB60E8D9F4D
                                                                                                                  SHA-256:3A2A002BD7213ECCE52FB82C470B824770A11DEB0A33DDB319A24824CE4676DA
                                                                                                                  SHA-512:D19E22031409B216A10815FE606852712EF0136B9056541774DC66AE9C57994DE5A667AE1F925D547D1BCCF6AE9221D939F7CE2BFC87ABC98C634858E1CCAA7B
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....Function Format-FileSize {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Formats file size into a human readable format......NOTES..Available in 0.9.10+.....This function is not part of the API......INPUTS..None.....OUTPUTS..Returns a string representation of the file size in a more friendly..form

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (505), with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):11504
                                                                                                                  Entropy (8bit):5.008896354130034
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:cSyL+QGXHpi+o8HrDe07ZUWKVjakELFiuPOizDIinqSQ/fa:ctL+QGwKS07ZUOZPpDDyfa
                                                                                                                  MD5:9443CB695D075DAA7DE91510A1E35C14
                                                                                                                  SHA1:7676604D3C1F0BD26632DC41FCF1310908D422C6
                                                                                                                  SHA-256:7095FB2F3F44FEE977D3B53DEE93B952D04325108B090F5F7E8503F758C27F18
                                                                                                                  SHA-512:2D0B8C3345B6573F56A54D357BB700D83B3AB5A40DED0AA2DC5A40DAC0523DB86BBC5BAA10CB3B4B1785123B8F32CEC5A86F350AF315A2BFF6885C08BD77758F
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChecksumValid {..<#...SYNOPSIS..Checks a file's checksum versus a passed checksum and checksum type......DESCRIPTION..Makes a determination if a file meets an expected checksum s

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):10482
                                                                                                                  Entropy (8bit):5.191184135569746
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:cSyL+QGXHphcdudY/xIVBO6zgV6ZlR86nFTDzH0sQsPbnJ8Yc9bTp05va:ctL+QGTqudY/xcBOSt3XHRJNva
                                                                                                                  MD5:F740F29F0AC79C7E5BA69B1CF3E6DC74
                                                                                                                  SHA1:8F609B5BDCCE295AEF29011858B31608D26E8E04
                                                                                                                  SHA-256:550231F4568914C786BF3BDE0FF4897DCE761084D33CFA6D8FD462B34A779D88
                                                                                                                  SHA-512:FC567A01086E8E6A55AAD1E3AEA0E9639E2F8C03399728A5421214E1E0CBF726A7D0F7422EBE3CE74C226F27C11C051760CDAD2AFBB5E69294152669929AB05A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChocolateyUnzip {..<#...SYNOPSIS..Unzips an archive file and returns the location for further processing......DESCRIPTION..This unzips files using the 7-zip command line tool 7z.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16502
                                                                                                                  Entropy (8bit):5.146477219224201
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:cSyL+QGXHpWybOWetWKW3VjEve49W9cO1kazvJwKEDbrj:ctL+QGPnetZ2EvXOlybrj
                                                                                                                  MD5:CD302EF4E080D330A9DEAFA584C049AB
                                                                                                                  SHA1:53B98CD3540A35FF32E1E6DDA2BB3F786FAE23ED
                                                                                                                  SHA-256:3E18EB6CF646474E9259E932679E04DF1CC4322E2E354A770F32A0F7D67C72A4
                                                                                                                  SHA-512:B0D74A92DFB16CBE799C781CAD2702C6932BA5B15A28EE5AF2FB56A4CFA4317B2347AF227A9484A0536CC95674CFBB89343E3955C2457AFD0D23854963D85BFC
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChocolateyWebFile {..<#...SYNOPSIS..Downloads a file from the internets......DESCRIPTION..This will download a file from a url, tracking with a progress bar...It returns the file

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4123
                                                                                                                  Entropy (8bit):5.288017280806032
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:cSyL+4pGXHFKotzWfp1Vr4MeAWMK13MqhPTv6ee5:cSyL+QGXH3Gp1VrSAQ3Mqg
                                                                                                                  MD5:E564E914B196DAC040D08110D5D8718D
                                                                                                                  SHA1:2532E9010D3A67A6FF345F2564A843800DC59CBB
                                                                                                                  SHA-256:5AF7D3DC6B44142492B9E31A69352873D43D570D7D4718B2942A67D3D6180951
                                                                                                                  SHA-512:06127E83C2BBDA160183D3DC5E51E652E2011C760B561DA639BDF847F085DB3E93E3C5F0B5C12C1114D228C3882E0FBC81418CF9CAA3C04FA837CE0A68574EFF
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-EnvironmentVariable {..<#...SYNOPSIS..Gets an Environment Variable......DESCRIPTION..This will will get an environment variable based on the variable name..and scope while accoun

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2060
                                                                                                                  Entropy (8bit):5.165746374691896
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cSyL+4pe90AlH31KoMfcM1KIcoCtJS0RjhYigLiO:cSyL+4pGXHFKovCZWdQ
                                                                                                                  MD5:D4DF76AC88518CA76BD5EC4605C55781
                                                                                                                  SHA1:8B540089E4B1AF183CF9D8053043BD4252A8B2BB
                                                                                                                  SHA-256:F73E30026DC59EF1B1375FE869347BAE2E02BDC51117E17DD2717E7DE7F712F6
                                                                                                                  SHA-512:BC37855DDEEF6BD3BECA66109F3EBE09B82409DD8EB1B6DEFC1ADCCEA397356FB521BC22CA8B7D34A418EB6EAAC1E9B277CBD333251A149C46E104980FBF3071
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-EnvironmentVariableNames([System.EnvironmentVariableTarget] $Scope) {..<#...SYNOPSIS..Gets all environment variable names......DESCRIPTION..Provides a list of environment variabl

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-FtpFile.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):7947
                                                                                                                  Entropy (8bit):5.051645140778019
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:3SfwB1bbVPeBlvvJ5nli61sre8+007Oc+pbkmzqMd0yiW:3SfwHBgPd04OHpb3yW
                                                                                                                  MD5:15DDE6C604B0BD3A0C1F569BAAC9B91B
                                                                                                                  SHA1:9366C80608BB20A9CFD84AD574D561E481F9B0B8
                                                                                                                  SHA-256:12FA2C7D770F0AF308D535A3523903F730A2121B2C72D05A9EA7BF9E5AA27C72
                                                                                                                  SHA-512:B2DFDC3BC98ADE4486A0CC30E3124F16F9788D6DD8214DF4C6460FE818CFC645EF36FAF03AC99490D0BFEA6A0FDA8646845E9A23C464B13C486E8C8677913339
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.## Get-FtpFile..##############################################################################################################..## Downloads a file from ftp..## Some code from http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershell..## Additional functionality emulated from http://poshcode.org/417 (Get-WebFile)..## Written by Stephen C. Austin, Pwnt & Co. http://pwnt.co..##############################################################################################################..## Additional functionality added by Chocolatey Team / Chocolatey Contributors..## - Proxy..## - Better error handling..## - Inline documentation..## - Cmdlet conversion..## - Closing request/response and cleanup..## - Request / ReadWriteResponse Timeouts..##############################################################################################################..function Get-FtpFile {..<#...SYNOPSIS..Downloads a file from a File Transfter Protocol (FTP) l

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-OSArchitectureWidth.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2930
                                                                                                                  Entropy (8bit):5.220783998189862
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cSyL+4pe90AlH31KoMBigsroWdBWuzonabOsEahaqTtYkkdrO57XMp0o3jMoF7d3:cSyL+4pGXHFKoySxwn0zhaqT6r8Bo3j9
                                                                                                                  MD5:5CE49B0DAF505DBCDA1D6E3B21FCCE88
                                                                                                                  SHA1:68B5493F4C79FA198269A211B4B3A981FE06CEBA
                                                                                                                  SHA-256:94DC6FBE584FE5DA6333E44F4F0EFA88254A7F78EAC1DE593683A50F33EECD96
                                                                                                                  SHA-512:580AF8026407DC485BDFBDED106CF3DFD778A900504BF5A66AE1B14C9A1A7F1F80E7E888A26B42446091D40B61E4F3250E3D1CBD661C3557B05A3275E9522545
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-OSArchitectureWidth {..<#...SYNOPSIS..Get the operating system architecture address width......DESCRIPTION..This will return the system architecture address width (probably 32 or

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-PackageParameters.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):7233
                                                                                                                  Entropy (8bit):5.212503071724739
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:cSyhrzQGXHHyN604JEtV/OyU/rFPV/LA+N/IwX/G3:cthrzQGA4JEArFPZLAkIwX8
                                                                                                                  MD5:5CB5EC1EFD682DB6B436388E63841227
                                                                                                                  SHA1:15234AFA9F45671CC89DF05DF9371F125213F5CE
                                                                                                                  SHA-256:F34917832A7347060BC1B8DCDD05FD4E5AA1672DBFA6A81DBABE9A978AD4B3A2
                                                                                                                  SHA-512:9E7D279B3CF9D737F2D114085FCBBD6AD13F681BF1365109AD20D9998EF20EA28E7703337E12BA5F350BE4CC37B35E5C7A7ED57FF45896D40B3F628672ED2096
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2016 - 2017 Original authors from https://github.com/chocolatey/chocolatey-coreteampackages..# Copyright . 2016 Miodrag Mili. - https://github.com/majkinetor/au-packages/commit/bf95d56fe5851ee2e4f6f15f79c1a2877a7950a1..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....# special thanks to the Core Community Maintainers team and their work..# on the Get-PackageParameters function that is in the..# `chocolatey-core.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ToolsLocation.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (333), with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3761
                                                                                                                  Entropy (8bit):4.908858016895155
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:cSyp4pGXHFKo/jFKv+Q/IT00CSZL5eFYE/:cSypQGXHNRKvGT06L5eFYk
                                                                                                                  MD5:D248C571C9B745CD77B6FF016245AFDA
                                                                                                                  SHA1:476E0532FA0972690A43C1227C1E50FED6916064
                                                                                                                  SHA-256:64CA4E5DF3587448659E052FACF69D47DAB48845929A1D21C386812DEE25285D
                                                                                                                  SHA-512:114DF561CFD26AEB535B7804AE5C978F1850EA07F609C502BC745683229E06FB7AD76F04F610CC2A2CE4890FCAFC089202BD96BCA146745CCC6226E0FD63C91E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ToolsLocation {..<#...SYNOPSIS..Gets the top level location for tools/software installed outside of..package folders......DESCRIPTION..Creates or uses an environment variable that a user can control to..communicate with packages about where they would like software that is..not installed through native installer

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-UACEnabled.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1891
                                                                                                                  Entropy (8bit):5.216117200464903
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cSyL+4pe90AlH31KoMo/f0n9WZH78+0tJwHKlkn:cSyL+4pGXHFKozeM6+0kHEkn
                                                                                                                  MD5:D7810321DDE3F67CCD37E6280D9FC5EA
                                                                                                                  SHA1:052053BEE38A1F79785B40290CC872E4540D6331
                                                                                                                  SHA-256:AC936BF04E1890321EEFC321A82F353BECA22633EB0F72DC497F8CF5F45EC99C
                                                                                                                  SHA-512:F365E429C4D013D8C0394575FBEC031AFD03991FC8019860795EC3D8DD7CAB8D43C539FCAED0A04C5C6979E5046166CAD5E2F8D6A3CD5688D78AB17411C0BEDE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-UACEnabled {..<#...SYNOPSIS..Determines if UAC (User Account Control) is turned on or off......DESCRIPTION..This is a low level function used by Chocolatey to decide whether..pro

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-UninstallRegistryKey.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):6009
                                                                                                                  Entropy (8bit):5.183782879831246
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:cSyp4aXHFKo+l0Y9WqbUqcN1bLZAiwSVg2SHBjqmnn3seTIIe8bMH/g4F267rTli:cSypHXHyJvIXN1miVVoTIyJ6rT25
                                                                                                                  MD5:8BDD492FD645ABC85E1A76BFB3BB9306
                                                                                                                  SHA1:0B84BACF023719AAF1F52544FDA4B1542E3FBD5D
                                                                                                                  SHA-256:2F11852DCC6C4C45BAA7355A5ABA501846A96DA75B0332A5347D382D876F94C8
                                                                                                                  SHA-512:D9B1E7457B71F0DD930C7DD10076FCCB75E2F6AE6E7129FC417F629DE63C34B8448D7F52D733B476BBAC39C2A758444F462CA8839987C6E3C178C592F6212EEB
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-UninstallRegistryKey {..<#...SYNOPSIS..Retrieve registry key(s) for system-installed applications from an..exact or wildcard search......DESCRIPTION..This function will attempt to retrieve a matching registry key for an..already installed application, usually to be used with a..chocolateyUninstall.ps1 automatio

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-VirusCheckValid.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1815
                                                                                                                  Entropy (8bit):5.188333753523367
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:cSy93R2O+4Ipg8AQyU0E+SlHQk1GpsLA9NIrd+aL85TiV+hT0hCmTxGz1echWtLt:cSyL+4pe90AlH31KoMCoaYp4AmVMMth
                                                                                                                  MD5:FE5456E477F7D5131DD448942A3AD961
                                                                                                                  SHA1:C8FDE141D6D5E6713A13C2A6DF55A07E2BB187E5
                                                                                                                  SHA-256:88D9BA7C04A62D34EDB6A913CE00463FBDC82A2986AC9F459E04B75BC1728922
                                                                                                                  SHA-512:261AA5F14F8A98638869A509844ECDEE1286B97B131D89A3B901AC2B40F09066CBC1C073D32DDE3EA160FB2C2F971BA0D6785981C6C180BEC5DC4F0D6029421E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-VirusCheckValid {..<#...SYNOPSIS..Used in Pro/Business editions. Runtime virus check against downloaded..resources......DESCRIPTION..Run a runtime malware check against downloade

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebFile.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):12827
                                                                                                                  Entropy (8bit):5.065872919066253
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:eBbyvHpL71ZxDlVWfYuuiy5nevc/n30zrryM3zE2LoQY+VUqZA:eBgptZxOQt10zrryMFLdYWU6A
                                                                                                                  MD5:76013037F6A0E623C39D9D07C20D3BAE
                                                                                                                  SHA1:7DC87082B4D2AB36AB08D6826CA209E2CD7C5694
                                                                                                                  SHA-256:8FCCA5AA5F0F631FBE9D319EB13C5A282F5DBC1D8D4BC0852021BE0524A6DD39
                                                                                                                  SHA-512:9D92B42EEBEE276522103D23EF646DFEC32630E97673B816F51841948C6DD9DA89A89B897D515CFFECED7D14174EF83110FFA4B0BA9F64E1738F083592E696F0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# http://poshcode.org/417..## Get-WebFile (aka wget for PowerShell)..##############################################################################################################..## Downloads a file or page from the web..## History:..## v3.6 - Add -Passthru switch to output TEXT files..## v3.5 - Add -Quiet switch to turn off the progress reports .....## v3.4 - Add progress report for files which don't report size..## v3.3 - Add progress report for files which report their size..## v3.2 - Use the pure Stream object because StreamWriter is based on TextWriter:..## it was messing up binary files, and making mistakes with extended characters in text..## v3.1 - Unwrap the filename when it has quotes around it..## v3 - rewritten completely using HttpWebRequest + HttpWebResponse to figure out the file name, if possible..## v2 - adds a ton of parsing to make the output pretty..## added measuring the scripts involved in the command, (uses Tokenizer)..#####################

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebFileName.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):9247
                                                                                                                  Entropy (8bit):5.07010917787166
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:cSypQGXHQybOdQVeBAmZZ8mumtrUy5nF2wnK0u/obu5OyDucYhr:ctpQG3G1vPS0uQZ2uH
                                                                                                                  MD5:CCEF9317BA6E4AD2C5F9ADA169DE64E3
                                                                                                                  SHA1:0B03F562CC75CDFB7CC184DA8B8E6BA73A6256A7
                                                                                                                  SHA-256:1D10AEC25CE4A010B338041862F485BDA47494A3A0EE154BBA49F48BCFCF0D68
                                                                                                                  SHA-512:922BCEFDCC76A32EE81AB0610BA1E256A228075084DE5A85F11D3B67D62F496A86BD59BE3AA5E00EC24E5A2805AD4199D5D38CD05D92D1BBC43F333FBE924D30
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License...#..# Based on http://stackoverflow.com/a/13571471/18475....function Get-WebFileName {..<#...SYNOPSIS..Gets the original file name from a url. Used by Get-WebFile to determine..the original file name for a file......DESCRIPTION..Uses several techniques to determine the original file name of the file..based on the url for the fi

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebHeaders.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):5960
                                                                                                                  Entropy (8bit):5.140316008573171
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:cSyL+4pGXHFKovnYWHVjmlvr79s5nFUFwlmiZn28HeheXeGYDXSqVR2vRtktvS:cSyL+QGXH2QVqlvr7y5nFDXnw0ud3Q
                                                                                                                  MD5:510D813D8B844FA9ABCF1CF8B294CE83
                                                                                                                  SHA1:B733C7BC5B1EA00C27895DE8BFB337183D9335E1
                                                                                                                  SHA-256:58C4E3DE6F018A33E4952AF35EFCCC0B688F1170F733CC10E2C32A33F11A9123
                                                                                                                  SHA-512:3D3DA339A6B9CAC75CB940B573703BBA5782D22918637D4399636F0F2787436920D6965F2165E294C68107905D556F115CD8416C97A18B12B7F0207CD7721AAC
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-WebHeaders {..<#...SYNOPSIS..Gets the request/response headers for a url......DESCRIPTION..This is a low-level function that is used by Chocolatey to get the..headers for a reque

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-BinFile.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):6283
                                                                                                                  Entropy (8bit):5.232086061865062
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:cSyL+QGXHN0Vk7arlCnBVV+7oc9KYjWndTmw:ctL+QG05rlwguh
                                                                                                                  MD5:5617A2B6826D73A80E864B42A3404E72
                                                                                                                  SHA1:61522560BF997DD79C6649F0C1D198510E19430F
                                                                                                                  SHA-256:9FC392C4558C2579517F24D945D8E1741EB4A5D7893E4E2DCA6CA756443AB328
                                                                                                                  SHA-512:B4EA54386B427AC314854AE3584EBF7AEB9E178026346917B05249A28CF831FBD7F87D12CCF56F00DA9C4F55ABC7324E69C4AB9B367258AC2F35960BAFEFADF3
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-BinFile {..<#...SYNOPSIS..Creates a shim (or batch redirect) for a file that is on the PATH......DESCRIPTION..Chocolatey installs have the folder `$($env:ChocolateyInstall)\b

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4293
                                                                                                                  Entropy (8bit):5.147557599553147
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:cSyL+4pGXHFKooCb/InyxVkR8PIoIxAETBXSYG:cSyL+QGXHeCjIGVo8qXSYG
                                                                                                                  MD5:06FC3CDC03EC16E85CE73D558D58742B
                                                                                                                  SHA1:C73F95322D853B964AD241CD9B1EFD1A6AF8B101
                                                                                                                  SHA-256:E6E24F83FDA53709F7EA93F73533314156F1DA0B028FC7BD063BA1720D1A6ADA
                                                                                                                  SHA-512:A1BB72C33CC1544432B6E4A3317843331ECB70D954DBFC195A3A6AD3FDF18280F807BF2A9DEC06D036111A46062EE04A87C2D315F4E895D2C7F2DAAF6B4CB48A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyEnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-VariableType 'Machine'.`....Creates a persistent environment variable......DES

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4549
                                                                                                                  Entropy (8bit):5.216765809932499
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:cSyL+4pGXHFKobx0W2Pq44GGVq/r6ck8Tr6ck012gMe5RDJRmR0GRSd:cSyL+QGXHBx03x4rVqDQ8vQubL5HItUd
                                                                                                                  MD5:D283FDF0627E77F4745CE26CBB134DDB
                                                                                                                  SHA1:D41419D3F8DC3F22B37E5CDE1090CF19879F8466
                                                                                                                  SHA-256:C4292F8767BD7E74E85C4AABCDB9EB0ED3B564693AAC1F568EB02FF7529DF027
                                                                                                                  SHA-512:A14822AEC4351C106325F1403F79DF444CB53C03CB09AE0FF15169CEC821102A11186B321F9FE8CEFC35932FE02A874E984EECADDA3EC5DCA52AB7EDEE9DB1F4
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyExplorerMenuItem {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Creates a windows explorer context menu item that can be associated with..a command.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyFileAssociation.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3080
                                                                                                                  Entropy (8bit):5.192518177403395
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:cSyL+4pGXHFKoognbqHdyVO6ckUf1eg9DgH:cSyL+QGXHqgnydyVOQUf1eg9DgH
                                                                                                                  MD5:44D634D52E391B61FEA2B3311FD130C4
                                                                                                                  SHA1:AC5184FA6552AD3D2D58EBD53563ED3238E089FF
                                                                                                                  SHA-256:22FA3870EC2455426BD2BA94B5DC82C241D16F1DBD1AC6979787E947B39563AE
                                                                                                                  SHA-512:53F5C0D5865DA75816B663CDD4279938401498416A2AD4FD4A7667CC93042D4FBCBC7B2F2F1FD3864CFADBC73908730C6EC7761A77207511861CB277AF8DBF59
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyFileAssociation {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Creates an association between a file extension and a executable......DESCRIPTION..In

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyInstallPackage.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):14313
                                                                                                                  Entropy (8bit):5.166123502608628
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:ctL+QGm9UIirNuMyrnyBOXOrH2ZoBZiLtM+h1yBPSa:ctL+yG9PKQaOyaBEl1+PSa
                                                                                                                  MD5:7BB19403672F88442C8510579DEEA62B
                                                                                                                  SHA1:D7685A3C16C53822D696EE3479451BCF1C42860A
                                                                                                                  SHA-256:FDAE94594F6DDF60874760BC0E8306422681CE7C177BFA811A625AE74363CCAF
                                                                                                                  SHA-512:8383D42946F02B72676BF3F6016C0CFA9355AE840320354111B8E40CD9567F46B558B4B60809BF6F0B1364A1F84E6815DC04B02D2F42078E0057F1990CCC83A3
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyInstallPackage {.. <#...SYNOPSIS..**NOTE:** Administrative Access Required.....Installs software into "Programs and Features". Use..Install-ChocolateyPackage when

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPackage.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):17164
                                                                                                                  Entropy (8bit):5.102467977763193
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:ctL+QG/i9AUaHrN+eNbVPoC8XdI96LMw9lpWo:ctL+jiKUW+eNbVPHMG9Gz
                                                                                                                  MD5:EF3DA9AA21D97701F975F6E7EC05790D
                                                                                                                  SHA1:C78F165791049FA3A17218AE2ADEECF79C628E15
                                                                                                                  SHA-256:917FCEC8CA28B0EF404F565AAECF7FB850E193326D012583927CAA8BB55FB3EC
                                                                                                                  SHA-512:40C18493196A1395EB72629042E0BE98F19CF657E402FF0F21447A238879157534BBCA632C40B047B42C4EA46C9935D40EF53604DCADB5552B8F6D4A5027C809
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPackage {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Installs software into "Programs and Features" based on a remote file..download. Use Install-

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPath.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4341
                                                                                                                  Entropy (8bit):5.172978110813656
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cSyL+4pe90AlH31KoMb4lFkF9lr4cr8QCz7rVgAY+AExSNzwdOq7FuRFu7lVENiz:cSyL+4pGXHFKoETMcePrVnxAExSsl73
                                                                                                                  MD5:B8FD2F73466C4538F16B753C1707E185
                                                                                                                  SHA1:DEEAFE9F90676AC71FDC879D856A5FF312AF0D74
                                                                                                                  SHA-256:1134D81094235B52249BD974129142BCE3B9796387C0D7CE71CE68A909A5C6B6
                                                                                                                  SHA-512:BE6FCFB5FCBA314D4CE62FB47B3A292AADD6C7FB6723D042FC603211B7DFC20D8E2213132BA0ECF29A00050A0C7640E00FF6638EA499A2C0A33D8FBCFBC004E5
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPath {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-PathType 'Machine'.`....This puts a directory to the PATH environment variable......DESCRIPTI

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2645
                                                                                                                  Entropy (8bit):5.278706654776255
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cSyL+4pe90AlH31KoMD+4RXPXbVSPDqA9FM4jImbO2Poq+:cSyL+4pGXHFKoi7bVSe+M4jImg
                                                                                                                  MD5:9432BDECB1FAE8A80B302A6216A7615B
                                                                                                                  SHA1:80C6C8255413A9B9E2BD8DE14B274DFEF1F6E86A
                                                                                                                  SHA-256:20510B09D631C0E5D9E6E4E5F0FC47EF47C1A413FE3F83A2413A2F4E42E1B649
                                                                                                                  SHA-512:F6BF39157FB67D7434CCC6F80CF7E13C04302243BE3589D8FF85ECDEA1A19559091BA86FD7BB22671B239F16136ABC8FA84A156477497B32B35E9721EF9B7103
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPinnedTaskBarItem {..<#...SYNOPSIS..Creates an item in the task bar linking to the provided path......NOTES..Does not work with SYSTEM, but does not error. It warns

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPowershellCommand.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):9319
                                                                                                                  Entropy (8bit):5.106965440646972
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:cSyL+QGXHni8ybOOeHYlqWKWXVWpRXrHoyf4yc0q1:ctL+QG3ij9e4lqZfc1
                                                                                                                  MD5:D95A27860316FF9415C6E59530A4F83E
                                                                                                                  SHA1:16CA9BB81AC55A4EE814915F919FCE89634D637D
                                                                                                                  SHA-256:F6A1CEB186C30AAD003EAE9B71FDEF4D1DC0D989C81FFDD844C5E9B82EF9532D
                                                                                                                  SHA-512:4FBE61563130EF06FC69C5FEEFAD59A6FB4DF01BCA7C289A9E8E7B3D16B06BE8BB652AAC7DBF5548BCDDB7F9EEFC2E739B707694BF18995C645F4715DD43C1D3
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPowershellCommand {..<#...SYNOPSIS..Installs a PowerShell Script as a command.....DESCRIPTION..This will install a PowerShell script as a command on your system. Li

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyShortcut.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):7888
                                                                                                                  Entropy (8bit):5.219559860002251
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:cSyL+QGXH9mufXMVW7Vb944B6/yS/LIiP8/HahiJqhx8l91b:ctL+QGtmufXBVbwBPi6cJ4x8l91b
                                                                                                                  MD5:B67CDEF057B2B5376CFDBE1F51AC241E
                                                                                                                  SHA1:12B3484E2F85D5C591F1DDD178BA71F224BC232B
                                                                                                                  SHA-256:D09B2B6B3D43259E79E6778581BA884B526D7A0687C90B19F38EF5B0CA1E5752
                                                                                                                  SHA-512:BDBEC684B46B3039C7C369901C618E4D0313588B4AB3AE3A10C20CA89C9F2CFB24430FF360FA63D813B920088C7CE5DE17C20C193E0F5FBE40495A86212760FA
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyShortcut {..<#...SYNOPSIS..Creates a shortcut.....DESCRIPTION..This adds a shortcut, at the specified location, with the option to specify..a number of additional p

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyVsixPackage.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):8855
                                                                                                                  Entropy (8bit):5.1654657712280985
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:cSyL+QGXHrDorybOY2W/thNuVwBE6nBEvEGYfpxIDcO:ctL+QGNk67zyYpG7
                                                                                                                  MD5:B751C9113B9601DC1B66D597F86474E9
                                                                                                                  SHA1:E69E72AEAC3BBF5E3DE0C307FE62C0D293FCE36E
                                                                                                                  SHA-256:E821C31B1A2C9CF7BB6AF12BBB70D88DC30ABADCBD68197982A0DCC6EEF7C982
                                                                                                                  SHA-512:BCA21C385EA43B62CF113D35E3A50A66E69C6CB98BDE874DC38D6B517206456C4B3726825EA962E0F1676FD8ED936C51DD8FE7D85E9C1F3A336FDC961A53A662
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyVsixPackage {..<#...SYNOPSIS..Downloads and installs a VSIX package for Visual Studio.....DESCRIPTION..VSIX packages are Extensions for the Visual Studio IDE. The V

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyZipPackage.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):9740
                                                                                                                  Entropy (8bit):5.124129906660506
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:cSyL+QGXH5l6ybO41LHHPWUWYhNfhNuVtsYzrPr:ctL+QGJlhXlHvbVPLYzLr
                                                                                                                  MD5:A9F2320F7C75DB38BA32DE454DB14F41
                                                                                                                  SHA1:52869D1B9C412DC5AB848E1E363A2F1C043A6EBA
                                                                                                                  SHA-256:D5C38F705555D2F334308EB27E8CFADA3E1503390A19D99C26810295047815E7
                                                                                                                  SHA-512:D40A8228A93F7543D1F447BC2989A5A9714F07F6CDE411801659483A0BCE5BD5696B5631DEC89FE6D4C9DDD87F29002A421627C9CF60EC57A6A93E02F028BE85
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyZipPackage {..<#...SYNOPSIS..Downloads file from a url and unzips it on your machine. Use..Get-ChocolateyUnzip when local or embedded file......DESCRIPTION..This wi

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-Vsix.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2178
                                                                                                                  Entropy (8bit):5.225120339484231
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cSyL+4pe90AlH31KoM4eAjm3LeoXPNpxdeVP3YJxxKW2W2VlWp:cSyL+4pGXHFKoZjmnP3OVPUxxO3le
                                                                                                                  MD5:5082284C6F295B50B7C28303E52D2770
                                                                                                                  SHA1:08D320C56CA725CFC8D558E5C923836EDC369DFD
                                                                                                                  SHA-256:D488957D7BEFF9256A176E7EA1F6D167604C175B44746B2B86B7EA0480F8089C
                                                                                                                  SHA-512:F8AB98CD8A14ADFA9FED578867A6188F6CBCA5E4361FC0D17D5BAA49818DF7A24BE94C616A8FE6821B75FDCE853D426464BA8E6CE8824E2A47912F26204A8241
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-Vsix {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Installs a VSIX package into a particular version of Visual Studio......NOTES..This is not par

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Set-EnvironmentVariable.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):4463
                                                                                                                  Entropy (8bit):5.326623524611151
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:cSyL+4pGXHFKo9LAVZVTfGqqHQ6+MiLMK+SIgEGZkxpU3gZCjfocO:cSyL+QGXHvAVLGqqHQ6waN9A3a
                                                                                                                  MD5:C5ADB094F8B04B9D9E4E7FA429D0568F
                                                                                                                  SHA1:64A4EC9D365702E1D279F0958B67EDAAC1CCFF72
                                                                                                                  SHA-256:A7E60AA5802ADC6E16D105C693819D7B8F5396C9B18BB32D4E55A1C6EDDEE409
                                                                                                                  SHA-512:20654DDEBFB81F1AA49BBBA3CF9C8BB2A03DA48C1D14DC63F4C200F8374393430E2515D85EE39B3EC788EFD97F8D442F07D36C06595263D57D6FEACA5B9DE152
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Set-EnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-Scope 'Machine'.`....DO NOT USE. Not part of the public API. Use..`Install-ChocolateyEnviron

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Set-PowerShellExitCode.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1711
                                                                                                                  Entropy (8bit):5.130959499082034
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cSyX54q90AlH31KofO/OuBT0fkaCVYBt4PHU:cSyp4aXHFKozUVYBt4c
                                                                                                                  MD5:73DCA113BBA352B82F814797A5E075B5
                                                                                                                  SHA1:B514007F4B97D41584B73A1BFFBE24B37131CCD1
                                                                                                                  SHA-256:A4F55463BF3258F02058B8A568A4F650B6DEA54BE1E5851C9339D53DBA2CC08F
                                                                                                                  SHA-512:9F0D8D5B5C418BDBD9034EF8BFEBA20D4F1D99B37F4DE7867102E6486BA6F5BA7D9CB5C34E7D9649546B74E81B6E238EB8CBA8BB458C7A0AFBC975B49ED04011
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....Function Set-PowerShellExitCode {..<#...SYNOPSIS..Sets the exit code for the PowerShell scripts......DESCRIPTION..Sets the exit code as an environment variable that is checked and used..as the exit code for the package at the end of the package script......NOTES..This tells PowerShell that it should prepare to shut down....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16063
                                                                                                                  Entropy (8bit):5.071535838625921
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:cSyL+QGXH8SvdSIVLWDL+G3YQwJOm1JzzN566OdHYrZxmrP17OrnwflAflNKc1+R:ctL+QGRvdSIWDznmzzvOUrIWjKEM05q
                                                                                                                  MD5:C653DD51F0E2EF62BBD7F782C8DAE3AC
                                                                                                                  SHA1:860325CDDF15E97C487A2351051517C89E414316
                                                                                                                  SHA-256:120D4F0ECD7D4AF742CCE72D4CE86EBD960F3FC83FBB58860BECD79147830585
                                                                                                                  SHA-512:417FD7B7609E7F002F8915D0E8EDA8EB3932FE3F4F7D88070457D2B08251CF0063C3B283C2129A02BAD6361812A16CDD1F3DFB26F55043181F9680D8B073B32E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Start-ChocolateyProcessAsAdmin {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Runs a process with administrative privileges. If `-ExeToRun` is not..specified, it is r

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Test-ProcessAdminRights.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1913
                                                                                                                  Entropy (8bit):5.085202352125102
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cSyL+4pe90AlH31KoMwr86KhPWBT2TiCWezzwYYm6tFnzXHtQ:cSyL+4pGXHFKo2PD2CWbm6nnzXq
                                                                                                                  MD5:12DE733D7CE18AF405D81469211573D3
                                                                                                                  SHA1:89C23822D6717F00281EC45FB24F420678B9901B
                                                                                                                  SHA-256:F07208BE10E70B4774168EC7C0CC86FC594F1D37D991E766EC46EE335302B083
                                                                                                                  SHA-512:38775567CC21292C3E06E6F7A44BC7A3C525CC2A49A95E114CFB0C4BFF2AF7EDAEFB4D09A3FD777482BCB0088507323B5618128B96A4716BE9655010A390453F
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Test-ProcessAdminRights {..<#...SYNOPSIS..Tests whether the current process is running with administrative rights......DESCRIPTION..This function checks whether the current process h

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\UnInstall-ChocolateyZipPackage.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2897
                                                                                                                  Entropy (8bit):5.162176606162476
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cSyL+4pe90AlH31KoMjgAOTJEd4phQ44Yb1eVGXsjlKo9obKB9x/kgeoS5:cSyL+4pGXHFKod+aSZVLjo7m1Ju5
                                                                                                                  MD5:B0DDD1F261098CAF4092E78539A61796
                                                                                                                  SHA1:6F753444CE488773EC7AD4942BFB79BF79BC2A65
                                                                                                                  SHA-256:12E80EA9AA3D894DB1BB1999DD766EF4925ECD59FEC8DEDCABF241DE96E1A949
                                                                                                                  SHA-512:5C624D18321916C905287595ECC72CF996F24F27E68E22F35C1D07AD7004F579EE64D3E0AE5AE6867DE13A02E61F9893D3DB848A82D41FEC309C77DD88752F75
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyZipPackage {..<#...SYNOPSIS..Uninstalls a previous installed zip package, may not be necessary......DESCRIPTION..This will uninstall a zip file if installed via I

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-BinFile.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3683
                                                                                                                  Entropy (8bit):5.175198661740516
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:cSyL+4pGXHFKo2fFecAVuAlxoVGv5nPcdTmqKYDqnShM:cSyL+QGXHc0nVuAlOVGvpPcdTmx
                                                                                                                  MD5:FCD698961855179908D84E45C1699CD3
                                                                                                                  SHA1:449CF377EA5EEFC250DF24DC64F36F374C3EA022
                                                                                                                  SHA-256:093191162E950B4CFDCDD066865C74E47F3F05B3543A9A98A7B82AD98C8236CA
                                                                                                                  SHA-512:96C0B5867C19A9F06C81F507102FDBCC270BEBAB132E8A3EDE88CED129E369D282AC5F874B0F0AB94214C41C857EF74735909045AA3FDACFF96C74A38FA7AFB6
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-BinFile {..<#...SYNOPSIS..Removes a shim (or batch redirect) for a file......DESCRIPTION..Chocolatey installs have the folder `$($env:ChocolateyInstall)\bin`..included in t

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3131
                                                                                                                  Entropy (8bit):5.1027007896112115
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:cSyX54q90AlH31KoMSta1Qr44qR4MXbVqlzmwETvp6SCodQsV:cSyp4aXHFKovRVKVwETB6SCu
                                                                                                                  MD5:256F7D3F77746A9167E513497A1DEF85
                                                                                                                  SHA1:0F213C21586F176C405C1877C6E7D2FD5B8E85AC
                                                                                                                  SHA-256:4CE0A48B7A6D6FE997324F7F916DEA532754E4C371CEE38CACE5134EA1D3A101
                                                                                                                  SHA-512:763263F5E68A1CB7391394570A7CCDDAF518A1522E3F0435EA62848631A03CF278E15F6375F02C0466CBEEBB4365BA419ADB3AB6549BA3BCB09C9BB718825F03
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyEnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-VariableType 'Machine'.`....Removes a persistent environment variable......DESCRIPTION..Uninstall-ChocolateyEnvironmentVariable removes an environment variable..with the specified name and value. The variable c

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-ChocolateyPackage.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):6062
                                                                                                                  Entropy (8bit):5.047713257621158
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:cSyL+4pGXHFKoQ79vUU2ZTooaYjuVSQPsVeqYQfiyLi9xSQeSDHyXfOWQfpQf6:cSyL+QGXHweZdlFV8bQ7ov
                                                                                                                  MD5:39599553B392FDEA36398A474FD623F2
                                                                                                                  SHA1:89587AEDEC8ECADD274EE80EE43101032A55BAD4
                                                                                                                  SHA-256:716E51F45EA009C6AEC10F123C58A837516E59910CD0DFB274DF0FF6A56EBF08
                                                                                                                  SHA-512:1BA55A2CEC0EA911B3418FA8B1979EE8EF45C16033C82F1794416CA85D8F7D9B2618855008F8014BD1FA2A8466ECEB9E36A41E985122F8D04C765051C6DAF5C0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyPackage {..<#...SYNOPSIS..Uninstalls software from "Programs and Features"......DESCRIPTION..This will uninstall software from your machine (in Programs and..Feat

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Update-SessionEnvironment.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3611
                                                                                                                  Entropy (8bit):5.0574071891740795
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:cSyL+4pGXHFKosxHb1u5jen+UMGeKJ1qeg:cSyL+QGXHWp+i5MzK/g
                                                                                                                  MD5:AB7F32D92867D5CC52CB177374C656C2
                                                                                                                  SHA1:ACB20AAADD71C921899DE91640DA2AB5F78984CA
                                                                                                                  SHA-256:A1AD9ED3C049CA14C7970AA17CF5C6A28448E70FF2BE4E438A61C6DAB68E82B7
                                                                                                                  SHA-512:22295E4C289EC0057B3F13A3B9C18B9B02CC4379D8E1F4F6FEBE48A45A05D92A5384EC158E4370CB5E67F33751377C2CD81C4F8E555145C49BF7680FE545F905
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Update-SessionEnvironment {..<#...SYNOPSIS..Updates the environment variables of the current powershell session with..any environment variable changes that may have occured during a.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Write-FunctionCallLogMessage.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1974
                                                                                                                  Entropy (8bit):5.219633769893594
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:cSyJ3554IpXAAyU0E+SlHQk1GpsLA9i9yVMppqTDf3nQytTxGEN8X/+nKB0chWqc:cSyX54q90AlH31KoMYpqfvVF2M1zrvn
                                                                                                                  MD5:6A2F945A16F003443B3C14907163C357
                                                                                                                  SHA1:EBDDA9AC96E6F71D0BEED493C5074F2CAFE638C2
                                                                                                                  SHA-256:279171398D6F65221D4636DA730AB2F07C6DD56321BF76A03D0CA7D3D7B0B574
                                                                                                                  SHA-512:C09FC9C169D5197B841EED9D44135F43AA8D11CC0463A567E922FE019545C9036542AD40AF5D64B808AF92E143787A8231CBF4F5B8A2F8F94E48614E8E06EFA0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Write-FunctionCallLogMessage {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Writes function call as a debug message......NOTES..Available in 0.10.2+.....This function is not part of the API......INPUTS..None.....OUTPUTS..None.....PARAMETER Invocation..The invocation of the function (`$My

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):280624
                                                                                                                  Entropy (8bit):5.69143427619248
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:8G0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhC7:8JrycoB3HVeESME3pnaVTS1nh7hCaO
                                                                                                                  MD5:F9450AE9B1DAF75A772A5CC8D359DAF6
                                                                                                                  SHA1:C693C23797E103DEFDB6FFCD95BBD35FDEEB50BF
                                                                                                                  SHA-256:BED3F5FDA16870BD55C2BF43ED48C8BE610DDB5D1C17E8E501F8273504A2E04C
                                                                                                                  SHA-512:05825B0FA8B4E54D8882C084144148F82F125A18C95F14BD6A0F9AEB394B393F6F1DE6B180D8E87E24D7925D89A1C727A3A15EB1C75511E3EB3FE835BC563CA5
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p3..........." ..0...... ........... ... ....... .......................`.......Q....`.................................h...O.... ............... ..0(...@......L................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):648
                                                                                                                  Entropy (8bit):5.324634979066261
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:lRYem717f8PV7UGph/QtIZ0Yem717f8PV7UGAA9ae/AC7iBd6Fg/HtFRIk:AVR897N/NVR897rG8iBLtFl
                                                                                                                  MD5:9909000FDCD78906DF6DAC80D4886566
                                                                                                                  SHA1:0AE2A7449B30CFB70BFBECCF8FEBFDADC5E1FBDB
                                                                                                                  SHA-256:72FB7BBAC062459A7460EC7CA90A29D17849AC0FFBBDE7569E107AAE41A51E1A
                                                                                                                  SHA-512:328165014B8B6D460514F09149969F15B83C8DE4E55C04EF26A7A942E6CBAA9514E5381F057058F10FE65A968EB0455FF351BE297E3F5FCB55A67044C1CB819F
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:2024-09-05 11:24:13,150 4508 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2024-09-05 11:24:13,994 4508 [WARN ] - Enabled allowGlobalConfirmation..2024-09-05 11:24:14,212 4508 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2024-09-05 11:24:15,025 4508 [WARN ] - 0 packages installed...2024-09-05 11:24:15,337 4508 [WARN ] - ..Did you know Pro / Business automatically syncs with Programs and.. Features? Learn more about Package Synchronizer at.. https://chocolatey.org/compare..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):14315
                                                                                                                  Entropy (8bit):5.439721882658949
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:mcGGiCe2AdC5CzVhgH8TdItU+cAUDZXKAi5e2AdC5CzVhgH8TdftU+4AUD8RH:o3C5CzzhdItHcAy3C5CzzhdftH4Aj
                                                                                                                  MD5:07A5B7F0A18E0C5ECC7B46E8EC2186A8
                                                                                                                  SHA1:D8FE7AD8F95D61B2CEB1E1C02DB6CCBC7D4C129E
                                                                                                                  SHA-256:BF7B69A38CFDB390A847859AC22EAFA47A222D8C8F96D0DDE6E6E2D07F440DD2
                                                                                                                  SHA-512:E76444CA493BC1E53B47072B0137CC7033A67B5614C39613863C029D51204E6BD1CBA04201FA17C9747E47DF70152DB74D2DB1F8747416126EB94C745023ADE2
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:2024-09-05 11:24:08,697 4508 [DEBUG] - XmlConfiguration is now operational..2024-09-05 11:24:08,744 4508 [DEBUG] - Attempting to create directory "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers"...2024-09-05 11:24:08,759 4508 [DEBUG] - Attempting to create directory "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions"...2024-09-05 11:24:09,603 4508 [DEBUG] - Attempting to create directory "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects"...2024-09-05 11:24:09,884 4508 [DEBUG] - Attempting to create directory "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools"...2024-09-05 11:24:10,697 4508 [DEBUG] - Attempting to create directory "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config"...2024-09-05 11:24:12,337 4508 [DEBUG] - Attempting to create direc

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\pcach.cch

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:ASCII text, with very long lines (3776), with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3776
                                                                                                                  Entropy (8bit):5.603540934115614
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:23atu7rZHJfOIdTl/HMSId6k/ShIdJhIQdlzb1kIZK/:23atIrZHJfOITdHZI6k/ShIJhpdBb+si
                                                                                                                  MD5:18DACAC6E3D91CD5859FFA2F9A876529
                                                                                                                  SHA1:7D6AD6EEC50032CA9114B26BCC7DCCFED84F6C6B
                                                                                                                  SHA-256:6D8763B71772789483392A36EE6E1950F9C22DD7AA2E79E4B26097161201002D
                                                                                                                  SHA-512:FA76C8ECF5B20D03062A0655DEF6A54C13C9989975124E6823FE967B7962D6C3E398D4AD861B1611AE663BEF032B4B8B3AFA8BCB843A1B886CF74EED3FF3016F
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:eyJJbnN0YWxsZWRBcHBzIjpbeyJSZW1vdmVhYmxlIjp0cnVlLCJOYW1lIjoiNy1aaXAgICh4NjQpIiwiVmVyc2lvbiI6IjIzLjAxIiwiSW5zdGFsbGVkT24iOiIyMDIzLTEwLTAzVDA2OjUxOjI4LjQ1NTM0NzMtMDQ6MDAiLCJQdWJsaXNoZXIiOiJJZ29yIFBhdmxvdiIsIlNpemVJbkJ5dGVzIjo1Nzg5Njk2LCJBdmFpbGFibGVWZXJzaW9uIjpudWxsLCJTdGF0dXMiOiJJbnN0YWxsZWQiLCJUaGlyZFBhcnR5TmFtZSI6bnVsbH0seyJSZW1vdmVhYmxlIjp0cnVlLCJOYW1lIjoiQWRvYmUgQWNyb2JhdCAoNjQtYml0KSIsIlZlcnNpb24iOiIyMy4wMDYuMjAzMjAiLCJJbnN0YWxsZWRPbiI6IjIwMjMtMTAtMDNUMDA6MDA6MDAiLCJQdWJsaXNoZXIiOiJBZG9iZSIsIlNpemVJbkJ5dGVzIjo2MjY3NDUzNDQsIkF2YWlsYWJsZVZlcnNpb24iOm51bGwsIlN0YXR1cyI6Ikluc3RhbGxlZCIsIlRoaXJkUGFydHlOYW1lIjpudWxsfSx7IlJlbW92ZWFibGUiOnRydWUsIk5hbWUiOiJBdGVyYUFnZW50IiwiVmVyc2lvbiI6IjEuOC43LjIiLCJJbnN0YWxsZWRPbiI6IjIwMjQtMDktMDVUMDA6MDA6MDAiLCJQdWJsaXNoZXIiOiJBdGVyYSBuZXR3b3JrcyIsIlNpemVJbkJ5dGVzIjo1MDYyNjU2LCJBdmFpbGFibGVWZXJzaW9uIjpudWxsLCJTdGF0dXMiOiJJbnN0YWxsZWQiLCJUaGlyZFBhcnR5TmFtZSI6bnVsbH0seyJSZW1vdmVhYmxlIjpmYWxzZSwiTmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJWZXJzaW9uIjoiMTE3LjAuNTkzOC4xMzIi

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\RefreshEnv.cmd

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2340
                                                                                                                  Entropy (8bit):5.120693108028518
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:WJhzy3v9zec4JksG5A10JZ65RhS9JlqUp7B9nplD6e7B5yg:42V6Q5A1B5C9L/
                                                                                                                  MD5:B4326546C3A252494DCD512976F8B89A
                                                                                                                  SHA1:09D10EA0ABDBDE8C2B5BAFE410ED3B96AB0076C8
                                                                                                                  SHA-256:9B251737A6B6ACE9FDE45B64FD653B04575C6416F15112FBE1697A47B14990E6
                                                                                                                  SHA-512:E58EDC6DC66A289358E7FDE7C3F1D73A0EE1F7A6DB382DD1318FAA205E12271C081617B8366ECD1FCB3A0BC5A98F4B0F0C389C99A63D9EDF7CE1BD230AC85EC2
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:@echo off..::..:: RefreshEnv.cmd..::..:: Batch file to read environment variables from registry and..:: set session variables to these values...::..:: With this batch file, there should be no need to reload command..:: environment every time you want environment changes to propagate....::echo "RefreshEnv.cmd only works from cmd.exe, please install the Chocolatey Profile to take advantage of refreshenv from PowerShell"..echo | set /p dummy="Refreshing environment variables from registry for cmd.exe. Please wait..."....goto main....:: Set one environment variable from registry key..:SetFromReg.. "%WinDir%\System32\Reg" QUERY "%~1" /v "%~2" > "%TEMP%\_envset.tmp" 2>NUL.. for /f "usebackq skip=2 tokens=2,*" %%A IN ("%TEMP%\_envset.tmp") do (.. echo/set "%~3=%%B".. ).. goto :EOF....:: Get a list of environment variables from registry..:GetRegEnv.. "%WinDir%\System32\Reg" QUERY "%~1" > "%TEMP%\_envget.tmp".. for /f "usebackq skip=2" %%A IN ("%TEMP%\_envget.tmp") do (

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):136704
                                                                                                                  Entropy (8bit):5.174853806484254
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:ED98HpKI6GCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:Y9GpKbShcHUa
                                                                                                                  MD5:DDD072DBD2267BCB3081340E57ED092B
                                                                                                                  SHA1:04EC398A1DE53DC960A882363A528E162350C57C
                                                                                                                  SHA-256:460F604144DD93A3794F75C9E09B2676D7AD1295CD92499FAD80ED3C27990F02
                                                                                                                  SHA-512:2271C5846254EAA7389D23EE0241814D06D34257A7B6D44FE7CBEA14F3ACA5101457FAD934B22D2B9B49F1263BCB4209D8EADC07DB93E2B5E01CCDA5BD6ED2A8
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)$/b.................D...........c... ........@.. ....................................@..................................c..S.......X....................`....................................................... ............... ..H............text....C... ...D.................. ..`.rsrc...X............F..............@..@.reloc.......`......................@..B.................c......H....... ...x5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exe.ignore

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2
                                                                                                                  Entropy (8bit):1.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:y:y
                                                                                                                  MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                  SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                  SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                  SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):137216
                                                                                                                  Entropy (8bit):5.162895637606263
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:KMU90HpKOrGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:K59OpKgShcHUa
                                                                                                                  MD5:0BCC21AC34291B167EC4D73079EAE085
                                                                                                                  SHA1:BAEF2A7349E2C6269BBF2C8C6654C492683FC73E
                                                                                                                  SHA-256:14288199533B10CAD97F5917447979BBC4685F20255AA073EC1BB828D3CF6A2C
                                                                                                                  SHA-512:9B7CC423E4F27DFF6006425311A6CC39CBA9CB5D3D4966C81FDA21C5907A434B6A748A92B65229A01A65440D8BA2D87D9E8C99CE80E2062569232A10AE74F9BA
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*$/b.................F...........c... ........@.. ....................................@..................................c..W.......p....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...p............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exe.ignore

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2
                                                                                                                  Entropy (8bit):1.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:y:y
                                                                                                                  MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                  SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                  SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                  SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):137216
                                                                                                                  Entropy (8bit):5.162623164553414
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:1w9mHpKZNGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:C9UpK7ShcHUa
                                                                                                                  MD5:55CC3EA23C5430BE7B5A75A52157DA18
                                                                                                                  SHA1:AB1D482F2B5E7E0DAD31EA18B78D5F8EA849B87D
                                                                                                                  SHA-256:BE0494DC91E38456E22692F3AB1891C56871FB82A83ADFDC58F8F890141ECEC9
                                                                                                                  SHA-512:C09E0476E2D1F69A878195A4026954C5D74C0B5318254A60ABC5909F00A60CCE86D49D29BBF1ECAE498BCE0C2FD2551EFEF0FE287DAB7EAD2FE573CCC833CF3E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+$/b.................F...........d... ........@.. ....................................@..................................c..S.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exe.ignore

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2
                                                                                                                  Entropy (8bit):1.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:y:y
                                                                                                                  MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                  SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                  SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                  SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):137216
                                                                                                                  Entropy (8bit):5.162059784215363
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:YE9tHpKrvGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:795pK7ShcHUa
                                                                                                                  MD5:4E2DC776C653ADBEBCF5DB16AB53296E
                                                                                                                  SHA1:290457CFC7EC45A493CCEACD2CA24A47237494C1
                                                                                                                  SHA-256:2DCB2236BB84AE42F4395E72EC67A22CBE0E68ADA4F80FABD7141B5B3D4E7985
                                                                                                                  SHA-512:533B424AFD7E5BF831BB72164D91B663A2368D458A3EFFFF7062A15D1AB77585C087FA5A5471D3530CCF30309AC30C35EAA4A9168A350071A64E912E15012311
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,$/b.................F...........c... ........@.. ....................................@..................................c..O.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exe.ignore

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2
                                                                                                                  Entropy (8bit):1.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:y:y
                                                                                                                  MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                  SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                  SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                  SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):137216
                                                                                                                  Entropy (8bit):5.162082250130723
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:GI9KHpKHDGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:l9QpKjShcHUa
                                                                                                                  MD5:76385C4CF0842546103EDD75662BDAD7
                                                                                                                  SHA1:BC42B5817E6BB3568CC6D7C0BD2B03E8B723024B
                                                                                                                  SHA-256:67EB4084D0BD361C42FFD7AF025167BAFCE8496A35CA6616945E0942386C6424
                                                                                                                  SHA-512:BAB9B5AE9B89697A7FA83D0D29A4DB0B777F126EEC8DF3BAE9B009AF9A0D556BB79BF2DCED1D26C7A8E900AC5AA7DDE07CEC334DA6418925F352554383F77EC2
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$/b.................F...........c... ........@.. ....................................@..................................c..O.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe.ignore

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2
                                                                                                                  Entropy (8bit):1.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:y:y
                                                                                                                  MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                  SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                  SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                  SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):137216
                                                                                                                  Entropy (8bit):5.163276282537277
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:pS791HpKIqGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:pO9xpKbShcHUa
                                                                                                                  MD5:5C9628C46256D0F6B14DE2168CBED8CC
                                                                                                                  SHA1:B7284385B0076623B76EC3FB2398B5EE8F3B9F85
                                                                                                                  SHA-256:354C3758A1F9E5A39E7292E9CCA353F815358977B3CC9A704BCEAB257AC6C24C
                                                                                                                  SHA-512:84886CF1632EFA70D8023F99A663E809422DFCC1C566793EF52078551DA105BFF1B2F9D54E197D8CCE53C3C725226635D623D9D539B5BFD4C17C802286EFADB4
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../$/b.................F...........d... ........@.. ....................................@..................................c..W.......`....................`....................................................... ............... ..H............text...$D... ...F.................. ..`.rsrc...`............H..............@..@.reloc.......`......................@..B.................d......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exe.ignore

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2
                                                                                                                  Entropy (8bit):1.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:y:y
                                                                                                                  MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                  SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                  SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                  SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):137216
                                                                                                                  Entropy (8bit):5.162239721051707
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:TR9vHpKmEGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:F9/pKvShcHUa
                                                                                                                  MD5:8783ED37D6871AE20E4A65A655788A7E
                                                                                                                  SHA1:C42F5B032CF27FFC36869C22D5BE0363AC2E5AF4
                                                                                                                  SHA-256:5AFEF49A1BB85ED16EE7EF08D9ED694F166A9500701728770E50E92978566C5B
                                                                                                                  SHA-512:1FE424147DBAD7978F0C856D152F3236685C52DBCA5DD6AB7A03E5D1B8A08566FDF4574C4704FBEDF286A4C13B354D771E25D1B725D55578C14E9EAB2D8F9898
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0$/b.................F...........d... ........@.. ....................................@..................................c..W.......P....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...P............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exe.ignore

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2
                                                                                                                  Entropy (8bit):1.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:y:y
                                                                                                                  MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                  SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                  SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                  SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1167872
                                                                                                                  Entropy (8bit):6.603432444128302
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:Gxb5vMX35l5UVrIdhcMEKWnttf7eePboHvVxSfOtl:GxbSz5UVrIdhnW1Pc96Otl
                                                                                                                  MD5:0DCE103B0102ADEC3279797665B7A4AE
                                                                                                                  SHA1:C121392BAB6DBA8D04BEE89C6B526E8E67650CC8
                                                                                                                  SHA-256:3DB62076E5FCC897FF29DA47FE4029900A4AD696B395B6FA96ACFF1229444C1D
                                                                                                                  SHA-512:20F0F02097694579AC8794D56411FBE2D97C47D37794CB52AFDABC9956C0452E8A3BB273ED34E463F31927E29E7E41C0FDDB82FBBE688DD39C4113C00EC91BC9
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l...(x.(x.(x.Gg.+x..d.!x.Gg.,x.Gg.*x..p..)x.(x.@x..p../x..^..x..^.*x.3.z..x....-x..~.)x..X.)x.Rich(x.........PE..L...`u.a...........!.........~.......>....................................................@.............................y.......d........{......................P.......................................................D............................text............................... ..`.rdata..............................@..@.data...............................@....sxdata......p......................@....rsrc....{.......|..................@..@.reloc...............@..............@..B........................................................................................................................................................................................................................................................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dll.manifest

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):513
                                                                                                                  Entropy (8bit):4.971000586893018
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:TMHdt43O5GgVNSSN/aN/2UjMNciq2xA5NEG:2dt4+GgBNCNFjMyisD
                                                                                                                  MD5:8F89387331C12B55EAA26E5188D9E2FF
                                                                                                                  SHA1:537FDD4F1018CE8D08A3D151AD07B55D96E94DD2
                                                                                                                  SHA-256:6B7368CE5E38F6E0EE03CA0A9D1A2322CC0AFC07E8DE9DCC94E156853EAE5033
                                                                                                                  SHA-512:04C10AE52F85D3A27D4B05B3D1427DDC2AFACCFE94ED228F8F6AE4447FD2465D102F2DD95CAF1B617F8C76CB4243716469D1DA3DAC3292854ACD4A63CE0FD239
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="7z" processorArchitecture="*" type="win32" />.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">.. <requestedExecutionLevel level="asInvoker" uiAccess="false" />.. </requestedPrivileges>.. </security>.. </trustInfo>..</assembly>..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):331776
                                                                                                                  Entropy (8bit):6.512244761259412
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:J5lqo52kDzMYDJSi7+Ni2ER9Vh98+1PrEVhkQf0huIDaLOjm:JMqzBDJkk2ERvT8MPAf/O6
                                                                                                                  MD5:7187AE605F4DCE14BB23EA2623956335
                                                                                                                  SHA1:F7C1DF33B875C98F41DCDE24117D89D42D25B7CE
                                                                                                                  SHA-256:9E2631C19B243C28B0980607CED2540E9447B1166572483475547C1A9DD4AC0E
                                                                                                                  SHA-512:F64522E2FB6BB61884FE53C34E79B355EFB9EC33C02B2CD67D729AF7D763E7B3873A5C7CE6AC7BB4567E6BCF8C70CADBC66F511E8BB151AB05096A832032BC8F
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..|...|...|...p...|...w...|.d.r...|...v...|...x...|.i.#...|...}.|.|.d.!...|...w...|..V....|...v...|.......|. .z...|.Rich..|.........PE..L...`u.a.....................<......<.............@..........................p............@.....................................x.... .......................0...2......................................................(............................text...r........................... ..`.rdata..b...........................@..@.data....'..........................@....sxdata.............................@....rsrc........ ......................@..@.reloc...<...0...>..................@..B........................................................................................................................................................................................................................................................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exe.manifest

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):513
                                                                                                                  Entropy (8bit):4.971000586893018
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:TMHdt43O5GgVNSSN/aN/2UjMNciq2xA5NEG:2dt4+GgBNCNFjMyisD
                                                                                                                  MD5:8F89387331C12B55EAA26E5188D9E2FF
                                                                                                                  SHA1:537FDD4F1018CE8D08A3D151AD07B55D96E94DD2
                                                                                                                  SHA-256:6B7368CE5E38F6E0EE03CA0A9D1A2322CC0AFC07E8DE9DCC94E156853EAE5033
                                                                                                                  SHA-512:04C10AE52F85D3A27D4B05B3D1427DDC2AFACCFE94ED228F8F6AE4447FD2465D102F2DD95CAF1B617F8C76CB4243716469D1DA3DAC3292854ACD4A63CE0FD239
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="7z" processorArchitecture="*" type="win32" />.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">.. <requestedExecutionLevel level="asInvoker" uiAccess="false" />.. </requestedPrivileges>.. </security>.. </trustInfo>..</assembly>..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1927
                                                                                                                  Entropy (8bit):4.78095675693374
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:aCpXZHRo7dL53iEu+byAHsv7g6z0zBZfNP3VyFA:dlq7XTu+xCz0NxxVwA
                                                                                                                  MD5:899A48828B85C4B0402EE7CF1F65B62B
                                                                                                                  SHA1:73BA604E5A4E4EA6FB4AD23B8ADF3982B2C82D10
                                                                                                                  SHA-256:20343526E04CE61EED2675282462E7080D305246F7807386621149C2025765D9
                                                                                                                  SHA-512:EFD02998961261FFA64332EA13876906D55A8BD8209BF94F922D97889DDF1181129B6A08E5747F1C0A07E69CFC3A05E86D18AFC3E06325B51598F52360881B1B
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview: 7-Zip.. ~~~~~.. License for use and distribution.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.... 7-Zip Copyright (C) 1999-2016 Igor Pavlov..... Licenses for files are:.... 1) 7z.dll: GNU LGPL + unRAR restriction.. 2) All other files: GNU LGPL.... The GNU LGPL + unRAR restriction means that you must follow both .. GNU LGPL rules and unRAR restriction rules....... Note: .. You can use 7-Zip on any computer, including a computer in a commercial .. organization. You don't need to register or pay for 7-Zip....... GNU LGPL information.. --------------------.... This library is free software; you can redistribute it and/or.. modify it under the terms of the GNU Lesser General Public.. License as published by the Free Software Foundation; either.. version 2.1 of the License, or (at your option) any later version..... This library is distributed in the hope that it will be useful,.. but WITHOUT ANY WARRANTY; without even the implied warranty of.. MERCHANTABI

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):29184
                                                                                                                  Entropy (8bit):5.423222213276874
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:02aUriLtuRZFwdpyTmNSHSBLVogO6QlRSO/:1r0ARZF6NFVogjQlRv/
                                                                                                                  MD5:5CA71CBFF5A8DE7E5E30B6E94CD42069
                                                                                                                  SHA1:991701A32492D743430627CBFBD56D6884C32588
                                                                                                                  SHA-256:23FBD1EE66FCE6872E97B2FE84C409AB30A74FE8720B722BC6F8BAE6E7764C04
                                                                                                                  SHA-512:77E31EC0DCA4E4895D3A4C0E84C6C1516D94089763F1735CAC150EFCD4EEC36107BB810E24D94C1208B7A80881D858DBFE887B32DA6F6D8F0C48F21C2525D0BE
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......X.................f..........n.... ........@.. ....................................@................................. ...K.................................................................................... ............... ..H............text...te... ...f.................. ..`.rsrc................h..............@..@.reloc...............p..............@..B................P.......H.......8<...H......u...........P ......................................h.Mk_F!..D........%..............O...T.....7..u#..[h..T]..^....u.2yC.n........}..?)K.?!@.....3k+.....{.u.@.!q....|....$..f.s!...}.....(".....}....*:.{......o....*2.{....o....*2.{....o....*2.{....o#...*2.{....o$...*..*6.{.....o%...*6.{.....o&...*:.{......o'...*6.{.....o(...*F.{....o)........*F.{....o)........*6.{.....o....*6.{.....o....*6.{.....o....*:.{......o....*6.{.....o....*6.{.....o....*..*"..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):150
                                                                                                                  Entropy (8bit):4.731888600769331
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:vFWWMNHU8LdgCQcIMOofoObWNRXGws8FLu+gNlFueRObK4QIMOn:TMVBd1IGPKNxgUaNNu5W4QIT
                                                                                                                  MD5:E9AD5DD7B32C44F8A241DE0E883D7733
                                                                                                                  SHA1:034C69B120C514AD9ED83C7BAD32624560E4B464
                                                                                                                  SHA-256:9B250C32CBEC90D2A61CB90055AC825D7A5F9A5923209CFD0625FCA09A908D0A
                                                                                                                  SHA-512:BF5A6C477DC5DFEB85CA82D2AED72BD72ED990BEDCAF477AF0E8CAD9CDF3CFBEBDDC19FA69A054A65BC1AE55AAF8819ABCD9624A18A03310A20C80C116C99CC4
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <enforceFIPSPolicy enabled="false"/>.. </runtime>..</configuration>

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):95
                                                                                                                  Entropy (8bit):4.721635609555772
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:SZdFVJMXLreqXy1Wfardzl7BZyOX35++n:Sls/t+WfKj+OXV
                                                                                                                  MD5:A10B78183254DA1214DD51A5ACE74BC0
                                                                                                                  SHA1:5C9206F667D319E54DE8C9743A211D0E202F5311
                                                                                                                  SHA-256:29472B6BE2F4E7134F09CC2FADF088CB87089853B383CA4AF29C19CC8DFC1A62
                                                                                                                  SHA-512:CAE9F800DA290386DE37BB779909561B4EA4CC5042809E85236D029D9125B3A30F6981BC6B3C80B998F727C48EB322A8AD7F3B5FB36EA3F8C8DD717D4E8BE55E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:CheckSum is licensed as Apache v2 - https://raw.github.com/ferventcoder/checksum/master/LICENSE

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):565672
                                                                                                                  Entropy (8bit):5.0581002983018335
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:hjgGwLGK4Uk0Ycoi6DdP51S2XI5cgGlKFTvr5pgx1v9/oLUmP9nVy:h7wj4kYcopdPm2ac8+1vVmPHy
                                                                                                                  MD5:F7B6AA803BE23C3192FCC2058D208F44
                                                                                                                  SHA1:A9569D1A4948FD33D388BB263B5CFF0D66E3BB34
                                                                                                                  SHA-256:D489923F1F91954B8AA15CD0E763132B9033780481D850D74395F5AB6E266C7C
                                                                                                                  SHA-512:7FD6E1B291503AC9A67128BAC2D6C8F21B40CE9DE99E015866FC62C79CBBAFCD25F3F43A0EB77A00B20C1D6BE9504E85458D503647BF2CF93BC71DAFB64AF122
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$./b.................x............... ........@.. ....................................@.................................(...W.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B................d.......H.......LX...=......8........@..........................................z.(......}.....(/...o0...}....*..*...0..)........{......E............?...Z...|....................*..}..... .>-.}......}.....*..}......{.... Z...a}......}.....*..}..... ?w*.}......}.....*..}......{.... Z...a}......}.....*..}..... H...}......}.....*..}......{.... ...a}......}.....*..}..... L...}......}.....*..}..... ...F}......}.....*..}.....*.....{....*.s1...z.2.{.....i...*....0..<........{......3..{....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3758
                                                                                                                  Entropy (8bit):4.882012677800436
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:wwVl/ldfbBaq9k4KM8da2J7LbyM71wKPC/:rVl/ldfsn4KM8daU7LP5wn/
                                                                                                                  MD5:89AC7C94D1013F7B3E32215A3DB41731
                                                                                                                  SHA1:1511376E8A74A28D15BB62A75713754E650C8A8D
                                                                                                                  SHA-256:D4D2EF2C520EC3E4ECFF52C867EBD28E357900E0328BB4173CB46996DED353F4
                                                                                                                  SHA-512:9BA2B0029E84DE81FFEF19B4B17A6D29EE652049BB3152372F504A06121A944AC1A2B1B57C6B0447979D5DE9A931186FEF9BD0667D5358D3C9CB29B817533792
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:Shim Generator - shimgen.exe..Copyright (C) 2017 - Present Chocolatey Software, Inc ("CHOCOLATEY")..Copyright (C) 2013 - 2017 RealDimensions Software, LLC ("RDS")..===================================================================..Grant of License..===================================================================..ATTENTION: Shim Generator ("shimgen.exe") is a closed source application with..a proprietary license and its use is strictly limited to the terms of this ..license agreement.....RealDimensions Software, LLC ("RDS") grants Chocolatey Software, Inc a revocable, ..non-exclusive license to distribute and use shimgen.exe with the official ..Chocolatey client (https://chocolatey.org). This license file must be stored in ..Chocolatey source next to shimgen.exe and distributed with every copy of ..shimgen.exe. The distribution or use of shimgen.exe outside of these terms ..without the express written permission of RDS is strictly prohibited.....While the source for shimgen.exe is

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller.zip

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1185456
                                                                                                                  Entropy (8bit):7.999660178690134
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:24576:Ssoja9MaLduouhVlf0tyv29r1+IdjkaCgs54gvUokF4fEFBb:HoFOJuhV+tyor1+I+aqdM2MFBb
                                                                                                                  MD5:6C6F85E896655A6EB726482F04C49086
                                                                                                                  SHA1:2E0C55CD4894117428B34D21A1D53738FCE4B02C
                                                                                                                  SHA-256:E109400A93FEDE90201BBF37C1868C789888BCE9D03A4AE5B46C48599939C34E
                                                                                                                  SHA-512:B58303C149DEFFC9E374D5BA42A8A73B7CE890D35F9589FE0B09ACEC541A21D589D49FA5086B965277FA22DFE308357505124F13A6FF1E0DE415EBC40CE61E15
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:PK..-.....J9rX...........=...AgentPackageRuntimeInstaller/AgentPackageRuntimeInstaller.exe....0........g.........^ ....,/_.U. *t....H......Z.X..x#...?....(/.EH.....r.l#.6.......76.b....u',4%.Y.br....W..VcO..[b/.....(....."I..u..S*....../.x...j.5.<b......n.v0.. z'M.....w.. ..qu.<...w...[...9....F...D..+....o....!..1I...^=H1.{.:=\...#V.]...1..)F.s":$.g.H.p.'^....K.F...3..}.......[J....xD.........._RB...... \=b.<.u 1k.Y....&.X.).`>M9.$H.].>t..^..!....}_.H.....h....uT.q..cJE.M... .QG..+?.gZM...G.9x.T.q..U..... X.s.....{....F.G$..$.A.n..jz]=.qi!U..4.>.e.7"..].O.F..XdciK..d_0..H..7rHd.jj.L.v6.< ........2.8....8.mc_.(!...\u...mY.........tv.e..,'..E......l..s`... s...W.Sx9b..Dnc...!0_..T.y..%r..{..E;....v"ce.K....{...).B....:N.H$..h..F.......Y.8k.....M....~9..X-M....f>~t..*#..R......6M....f....>-b.....W. .S.WO.c".>.....+iR..w~.u...6../..J..^&...K.BcQ.Fy....<.O.......P..y..#5:l.4.......~........g.:W...1.p7...K...n{.9~..c.h......NT.5...w........?_>XJ..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):55344
                                                                                                                  Entropy (8bit):6.139210251385105
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:N2Xj3YqBmARWhNqjxcVqnOvdBsqW/BCiFl0scb/MV7Hx/:wX5BqSBjb0tb/MVJ
                                                                                                                  MD5:77C613FFADF1F4B2F50D31EEEC83AF30
                                                                                                                  SHA1:76A6BFD488E73630632CC7BD0C9F51D5D0B71B4C
                                                                                                                  SHA-256:2A0EAD6E9F424CBC26EF8A27C1EED1A3D0E2DF6419E7F5F10AA787377A28D7CF
                                                                                                                  SHA-512:29C8AE60D195D525650574933BAD59B98CF8438D47F33EDF80BBDF0C79B32D78F0C0FEBE69C9C98C156F52219ECD58D7E5E669AE39D912ABE53638092ED8B6C3
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ......o7....`.................................X...O.......L...............0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........K..|v...........................................................0..........s....(......%.-..( ...+..(!...}\.........s....s......o...+o.....=.r...p(.....(....(.....(....o....r?..p(.....(.......,..o ....*.......4..A.3......4.@t.......0..8.......(!...("...(!...(#...($...(!...o%...($...(!...o&.....&..*........44........('...*..{....*..{....*..{....*..{....*..{....*..('.....}......}.......}.......}......}....*......s....*......s....*......s....*......s....*V.('.....}.....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2010
                                                                                                                  Entropy (8bit):5.013965898836397
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:3rrb7O7Rgdp+1/gYoSagFsg+w3Sg+Cag+XgjdgDt:7rne4wCNj
                                                                                                                  MD5:0B17B3BE9B3A6F6879998D280941DE55
                                                                                                                  SHA1:EDE825B51EE11AF7C9221DCE596BB969CD068529
                                                                                                                  SHA-256:1D69336E421C535CECF2E0326BE39B44EEC8EA39754AC8E855D8E0368E0F4619
                                                                                                                  SHA-512:06D9CC03B8F7295A6E02376159EA96A83CAED4B584769370C0BF365B25D29C883BA5C8359CFEB7316D13C93B49FD37CCA267F6E7931220CED71435E1F4B639C8
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.ini

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):11
                                                                                                                  Entropy (8bit):3.459431618637298
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:WhUnn:Wu
                                                                                                                  MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                                  SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                                  SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                                  SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:version=1.6

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):93232
                                                                                                                  Entropy (8bit):6.195903304850222
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:zSvbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hx9:zS8UMW+BV5M+5Nn0kom/RS3
                                                                                                                  MD5:B969BFF44179BF8A3584EEB9E026CAE1
                                                                                                                  SHA1:DBA7A528F51870B89AED549E81EF0660F43B2943
                                                                                                                  SHA-256:5EE05D3796AB12ECF7F2D32D48D41D2A2A3FD257AD8456A0EBD5E6019492ECF1
                                                                                                                  SHA-512:F0643905258D2C09CA0A6C30A0A9AD5AD2FE184A65B7FFA5B7B731FEE8357672B35246626A10B39DF7C18EF1B75328192495685DDF9CD2F524E913D6A2993E18
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ....................................`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):95280
                                                                                                                  Entropy (8bit):5.998418289121845
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:6iLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7HxlF:/Z0PMcjrgF
                                                                                                                  MD5:3AB0B86F5D058374AC789F05FB6C6E81
                                                                                                                  SHA1:4C8142A6EA10F48735429B125ADC278178FA0082
                                                                                                                  SHA-256:5F773968BD0501D91C4AE1339D248B4F766C39885B35088953AFB1BE6FBCC4E8
                                                                                                                  SHA-512:1A6CC62361FDD20A99D9551E677269D9D67B6F4B66C09083E07AE5732C23FFE15A5E687437A16A27896A19DECEB9F23D7614B6CC44445C365E3A59DED1AEE6E2
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ..............................P.....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16432
                                                                                                                  Entropy (8bit):6.6559468525212
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:192:wXh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl55qz:wXh+tYmNyb8E9VF6IYinAM+oCaF5qz
                                                                                                                  MD5:8E2D0F47E477FAE8132492A31B26F1B3
                                                                                                                  SHA1:6C3EB7CB1D5E942DC6A62767A701D201E2F69CE1
                                                                                                                  SHA-256:7C8CD3B61286AAC09534541EDBFF10618938236830167581BD3E922CA55A1456
                                                                                                                  SHA-512:B40EA70361F5AFCCB3DC41D38A4F302AEE00B9AAC206AD2DFBD1591A7722AF732BC820C3C66EA3BC0816D4C98E364D1345077EDC786ED19135659AC91E0CFC06
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):75312
                                                                                                                  Entropy (8bit):6.23943595769723
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:Tu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYH:KF+qo7mDEwj4NXLGcfgruFcg7HxRt
                                                                                                                  MD5:D5B69F2C4F5CB0E7D43D7F6C1C87DC7E
                                                                                                                  SHA1:98FDA78C049D650E47C17D9072E82D87C1B59E9F
                                                                                                                  SHA-256:6C1325D183C7CC3E516628921005F18BB5A191B0029AF93DFB022CA4C2ABBAE9
                                                                                                                  SHA-512:D95C5CD5E9DAC57FA9C5DE8645F637363A5E787A8C521B09BFBEA56D01765F4FC31E4080BDCAD28BBD90FDB9BEE1CAB50E95FF13CFAC728405D87C3EFE3A387B
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`.......w....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):52272
                                                                                                                  Entropy (8bit):6.4113040933608225
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:TQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAMU:T9ML8LW/usybGYVE8mZw+89Wu1e7Hxav
                                                                                                                  MD5:94B12931B9032E80157DC27422393FEC
                                                                                                                  SHA1:2B762FCA27538B55ACF736F7D65E293E5F15EAEA
                                                                                                                  SHA-256:746AD9902D9310CC2F172736AC156018ECD3843BA58C8337DE017074B06CD645
                                                                                                                  SHA-512:D943A39FDD74627514818DAF3434BD1ABEB4EE10077E8B10414098DDA2972851795A15CBD4CAD73A67D5171446E4A6D844CDF8BD705E72F34B7DA16678097BE9
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ...................................`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):398896
                                                                                                                  Entropy (8bit):6.1343664856235245
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:5jS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvM:5+e55LgIkTmyAAfTnMLvM
                                                                                                                  MD5:FACA1B5218F8EB76963366A6842E122D
                                                                                                                  SHA1:41B281ABA7D7FE994EE6C77F7F71042885919EC0
                                                                                                                  SHA-256:D779F3514666734455B5B2B7AEB035F7E1D7394CD445E332DD4D236E24D5C94E
                                                                                                                  SHA-512:8F350CB3D0C13A701C67749E103B1E07EE1E2EF8EFE71B70CC728F8E21DC02922BAB241CA256695DAC9B225D450623E9F8DA055EA062E336D7F1CD9D2A3FB6D9
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1409
                                                                                                                  Entropy (8bit):4.992215339808616
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:2dNQjY8L2PRRkMYaWcvJ9AwcPGnJg8vQpyriEWZoEs4h:cb8MRRkMVB9AwVbIQdsoEf
                                                                                                                  MD5:766E089F9AF0DAD5BFD8B77167D1E0FD
                                                                                                                  SHA1:0AD55E6BA596EFEB24867DC9FDCE4B3D2F2D904F
                                                                                                                  SHA-256:1D95ED644BB7D706E5B8EBDCB875B23F8B21C62C53C701EB8B3385F770808D7E
                                                                                                                  SHA-512:FD8ECF32094577A51579911AC3722D839A7B0874146B909EB8DC944CDB5DA459BFCF7EB64B47EC08F40515E6C38B4C4CBA1F4D9F9EB403E891A8710310DBAECA
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. xsi:schemaLocation="http://www.nlog-project.org/schemas/NLog.xsd NLog.xsd".. autoReload="true".. throwExceptions="false".. internalLogLevel="Off" internalLogFile="c:\temp\nlog-internal.log">.... optional, add some variables.. https://github.com/nlog/NLog/wiki/Configuration-file#variables.. -->.. <variable name="myvar" value="myvalue"/>.... .. See https://github.com/nlog/nlog/wiki/Configuration-file.. for information on customizing logging rules and outputs... -->.. <targets>.... .. add your targets here.. See https://github.com/nlog/NLog/wiki/Targets for possible targets... See https://github.com/nlog/NLog/wiki/Layout-Renderers for the possible layout renderers... -->.... .. Write events to a file with the date in the filename... <target xsi:type="File" na

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):883760
                                                                                                                  Entropy (8bit):6.071504659955744
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:V1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQJ:V1n1p9LdRN39aQZUqM
                                                                                                                  MD5:17A183A03C34B8EC1C91B3DD0B50E022
                                                                                                                  SHA1:7D226520BE51BD71D05D7EB56793233794F87DA4
                                                                                                                  SHA-256:381278035C5A8A4668D31B12F0BF3DEC6544E9668FED84DA038A8D21D233D72D
                                                                                                                  SHA-512:AD5591F6B90A07C00F10EF19231BB3C766E9E27C2205AB3A32C15B7D0DE0F732A5600665E4302290C771F06370B23E4FF0AC63E51C1F36899F98CCB6BD5F8C01
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................;....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710192
                                                                                                                  Entropy (8bit):5.960370699367048
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUW:hBA/ZTvQD0XY0AJBSjRlXP36RMGj
                                                                                                                  MD5:53D8AD0BCDED36C2EEBD4D3C45A60BD7
                                                                                                                  SHA1:9289840CB0518AF183BB41AB05428A6415B92AAE
                                                                                                                  SHA-256:07A068EF96EE5F447282B42B1818FDFC372B674893E6742A5F83DDBC4DF13ACD
                                                                                                                  SHA-512:41B19112B6CCE405E16153354223F4AFF548E9F55EDFDC158588E78D9EAA755E10865D7220B916EC14DAB4181C55C005B161B44AC011419EE85EFF5F65975523
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):284208
                                                                                                                  Entropy (8bit):6.11766612253341
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:IZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHex:Ogo0WPVTXgk
                                                                                                                  MD5:D1BA01295CAEFA1F00261AAA943FFDBC
                                                                                                                  SHA1:54BE9D6F121721542E1B563804766592C9EBF14E
                                                                                                                  SHA-256:F425945B4D1BD5D65776EE4FF4330F33947692EA5E797EDA3103B6E380196BAF
                                                                                                                  SHA-512:DFFE1F15F635FD9C083B51C66DBE5C5C9B16516B8CA036B262765279FBF01FC521D10AE31288CA3FB5DAD4F8B6E744DDA33FB8698267C40970DCA9409178E067
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):22064
                                                                                                                  Entropy (8bit):6.678784612747097
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqpx:tuhMaVmzDC67EpYinAMxCJ
                                                                                                                  MD5:35082EAB5825C9A9D021B5B97BE382B2
                                                                                                                  SHA1:4716CBD843C8A2A1AA7ED7C95700672E9A863674
                                                                                                                  SHA-256:B91E3FA4C89230B668EE2DE7D6824DAB708B981F1AE94E734445154BC8A3F6EC
                                                                                                                  SHA-512:9F0FFB52E060910662AE7AA020AE836119BC609B3E0E9367C7C9D2F2975FC1DDEB1EC1B2F708704C22D666E778B787679BEE5A3CAB5868C09CCB5B57C9026BA2
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):97328
                                                                                                                  Entropy (8bit):6.2419469146373485
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:3NSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxQ:3N3OWMsQ56vd2s+KuYc9RTJa
                                                                                                                  MD5:9F59EFE4EE7BFF13F5866311048A6A80
                                                                                                                  SHA1:1F20929EE2BCC0BE40848CC739C6F31CAD13DA69
                                                                                                                  SHA-256:32FB947BAD722480938922DC363DB76AB0079383C6D732B4998C302B03D87200
                                                                                                                  SHA-512:CCCAAF2396AD1307AF0B51B424005BFB350508059CD9CF3E9641D396CCA3EC4C22EFB0329DF0AFD0B3888E07559B6904A0361B85A80A527CD3139161CFF91DAA
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................P.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):138288
                                                                                                                  Entropy (8bit):6.17954530016547
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:G3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnO:U0qjCSRE+fw0kG719
                                                                                                                  MD5:6D055BBD0463057997B216FA41FC1BAA
                                                                                                                  SHA1:0E3B5685453BFE674252EEFE7B29DDFFE3394F36
                                                                                                                  SHA-256:94571C1156471E113A0BA58686D0E0F8C8A18B7F5415A17CC00688D6901D6DD6
                                                                                                                  SHA-512:D3D1FB3588D4AE7279244086069DEF2145FDD341099BD66B801CE1F7EB18F4F68B0043D3CF4BA5C8FA3FA680EF228C3371743AF1E9DCAA64711321EC6A94FCEC
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`......\.....@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):17968
                                                                                                                  Entropy (8bit):6.673983708245621
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:Oh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBhKr+:Oy9eEpYinAMxCAcr+
                                                                                                                  MD5:351EE6E0FBE6951D43F195DBFD34911A
                                                                                                                  SHA1:2FAAD5BD1D08D9791C941F6F01BA41473C12DD1F
                                                                                                                  SHA-256:8B4AF4380F5083A9DC11F5E74FEA942A34DE4AA3740EE0DBCEF92A95AFD656F6
                                                                                                                  SHA-512:00A0600E0E4541058B8FF5A7314E0C2779B5BA5E3F9FBE9F15556E84D84D8B3C0317116B29A832CB038457EF6CE1FA88149C18E7DD33D27A3ADD3AFFAC5FF9D7
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):342355
                                                                                                                  Entropy (8bit):7.999222579004313
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:6144:fLe4N0t70oZhKySScszMVqdFYU6cm5w8rsKYIGXNAYpCvMgZ33c6Mg3rRSw:fLe4470+hKyJFzKqctcm5pluXWJvMg5t
                                                                                                                  MD5:E27812C62B44D50108046AED9727CA73
                                                                                                                  SHA1:8B8B8B6D7408F90276D316C6EE87C8C3D4709D60
                                                                                                                  SHA-256:9EBC30153A86EED1F8785709B941B6141AEA67F7E2483CBF2ABBEE556E873203
                                                                                                                  SHA-512:89636345624539C81394694F3ACFC308ED97A5331ABF1035E4AC983DBAC18414151D6346171CA7FB0FECD1A53F16E0A7B66CEAAF9736C30475B1CE98A0D2D402
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:PK..-......C.Y.#-.........-...AgentPackageSTRemote/AgentPackageSTRemote.exe....0........n.......{$..U>...M..._..R5|..S.-,.8..VR.....l..y(.#...W:.'iX.. .......p......iT]D'...O.v@.Z5.**..?.b..i..v...{....oC*.UFOG.k.Z.Z.....*.m..fN..B.....yY.#d.z|#.-.DF.T..G...._EV4>/0.2..].....r....Z. ...!$a.L...r../.L...|.........|W......SE....i..^....'G.."Jv....D\..6.....z.nX........*u.J.!L[W.~..fzH.A....R........3...1B..^........Xi.N...h)..r.`..Q...6.....b{.0(.m.....3i.F.....=.!.6{....u.......n..y.\g.'.P......aKc.M...}(.....+D.Egb$s`(.l(..>...VOn. =......".....6...Z)}W{.,.:0vl.[K.i.Fw>....=.I.Y...:ksU...f.>I<...iP.N.......P.."ww[Cd.OORJ".f./B.u?..l.2h.t1.......<}....(E.\a..9.~TS..t..60i.{..a...........8.z.N74....m.rb.h.3.6bc.H.9p..SE...B..a........Q,..v...Q..}....._Q>'7.jV..CI!3..).NzKF..$.EX..o.d.../.".$".1.....g.v...?.~.n..p......# ..re..9.E..b...w.'..]._...7-.J2wB..%.....-|.u..w.].Ya.B..9......-..J.P.>v1..i.i..B.g..oF.d...a...D..#'...o<..P.....+....._..v

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):73264
                                                                                                                  Entropy (8bit):5.480932323340301
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:SpfpyM3uykm7XvXiJQd9Sy2pJoUvAfuc7HxeX:062T2co
                                                                                                                  MD5:00A4D22D776D110ADCC63F0C567131C6
                                                                                                                  SHA1:88EBB71C2DDB4733F10107B35AAAA3FBCFA52473
                                                                                                                  SHA-256:01DC7B7F54222FA9494BB76A61D81A793A232A39AB2C07E2F0BD12152441F5C0
                                                                                                                  SHA-512:B80264CF36B749985E3F03FFB5BC47C07342BEA27D547AEED28999D0D6E4F9A207DFBFB0DD2806D5F483A857EA9076A07BF51EE6D87144B6FB4347A829E5DE78
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0.............B.... ... ....@.. .......................`............`.....................................O.... ..P...............0(...@....................................................... ............... ..H............text...H.... ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B................$.......H........C..L............................................................0..........(....9....(....~6...%-.&~5.....z...s....%.6...(...+~7...%-.&~5.....{...s....%.7...(...+~8...%-.&~5.....|...s....%.8...(...+~9...%-.&~5.....}...s....%.9...(...+*.*..(....*...0..-.......(.....3..*r...pr...p(....,.(......(....+..._*....0..(........(......~....(....,..*..(....~....(....*.0..r....... ....(......i./.*...............&.........6...%.. ..o.......r9..p( ...,.*......s!.....s!............

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):541
                                                                                                                  Entropy (8bit):5.097123194334321
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                  MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                  SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                  SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                  SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):12
                                                                                                                  Entropy (8bit):3.418295834054489
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:WhXXLUn:WBXgn
                                                                                                                  MD5:D97129F80E5F51DF4BC807C70026AFD1
                                                                                                                  SHA1:B83B2AF5910230202F77D5665A1529143191C1FB
                                                                                                                  SHA-256:815491D276BAA5B6E48C5CB43A85F777B7308BA791CE354F4EFB0DF936F314C1
                                                                                                                  SHA-512:C730BFF87F8CA8EE7A78ADCEE7A3EE87BE308DB3212535CECF067B7FCABCEB7B558CD5E0737D12C95C86BA862A43D95F21CC82C1FD423C1DAFF246129B46C853
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:version=22.1

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):96816
                                                                                                                  Entropy (8bit):6.1807776376128585
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:5Jt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7HxwU:5QUm2H5KTfOLgxFJjE50vksVUfPvCl
                                                                                                                  MD5:4DAA19F0B5C29DDDAC45AD19C63E8D6B
                                                                                                                  SHA1:EA97E4FDC567CE6EC439E11533CB7E1668B82E8E
                                                                                                                  SHA-256:F71FBE9D385D713F2833798A5141F3A74C6261980E64C5E59E1DB81C520F73D8
                                                                                                                  SHA-512:2BABB207DF5D6A9391646906E6FB52ABC6644F14B846FD3B47C8D793B6EC236BDE3872A958DF63EDAC201280919D4A7F7C129313E9B1711285456508DC35D517
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................e.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710192
                                                                                                                  Entropy (8bit):5.960797168894863
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:kBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUw:kBjk38WuBcAbwoA/BkjSHXP36RMGF
                                                                                                                  MD5:DEB13F3C39F77E4D6CEF5D7A53165178
                                                                                                                  SHA1:07970FCFFE5D4CCE3DABA1305011573F3744492C
                                                                                                                  SHA-256:4DD53ACB2324704EDC4125AB72F4C235780B8480F77EA084FA53CB57E0346EEB
                                                                                                                  SHA-512:8C96E007DC027E5359819C85CD8A349333462919D988F82E4F4787F37BB49BD499E432EBE03A79E75E74118FEBAEBE430C2B2CC4E8029D2E9F796C77CB5F56D6
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......e.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):637958
                                                                                                                  Entropy (8bit):7.999354686674398
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:12288:HVd5b8dhfpvZ3U9ygocoFAdF4r0el92pBW/wFIlzxDFBLXJ:HFbyhfVsySoKdF6D2pswmlpXd
                                                                                                                  MD5:767D5DD4AD2D6A3E0FF3E45DB47A9657
                                                                                                                  SHA1:982A2AF2C94AE33CFB240A30A1C6433E5E5689DF
                                                                                                                  SHA-256:156218F309CAF003096CB28C2FFCD74A0989E4FD0207E485A3292A4D8D1C48ED
                                                                                                                  SHA-512:E8104B3622BF07059131F3F0A8DC9EA44C7B0E32213F534AEAE229F000B01425B72955197DC776F1B5750FAE2BEAAE888A2EA1D62B1630D3FC5D79B4C57317D2
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:PK..-......5.X..j.........3...AgentPackageSystemTools/AgentPackageSystemTools.exe....0........j.........)+{rh....k_....z.OZ..@bN...#....<...-...H\.\...>.w. .%.3@..x.......L].HQ..<b.. u k..<..;Q.Cc..~...D...f.."Ma.....1&6...Q...&.o.X...r..1.E.I.:.N.g>_.d1.v....a.Q%..vr.d.q.&....w.6.|......h.'o.f.9GV.g .ac.u.Y.o.......sw......*/`.._h....v...0....C.z.."vU@..m.....i...,....-.x....N.,.36`.#k/h......=.`...H...]....&.....6F....wNH.......W,.[?.<;n..J.i....xX...~(..kqV:Z.k.U.$U...h.v..".....Vx....F.[z.....j.._8.M^).E0.D.........B .\0H..v..p.-9..'...Y...=.[....ja{`..*&......9:....C.....sz+|..JQ.../....D?./y..`)T.%.......<nc..w#.......7t.#...A...>t....@..!A45Y2....Y.......38..c..sR......E...7....\.....I..M.....V..IXG=.a..}..H...r..eF......>.{.FFM.A.bm.!b......-.....Wk..z..P..An...D.M]RN...I.).h....].AU\.6d..u.;-..7....g.*....M..[.?..%....d..wZm0#...=......d".Eu......5.>.....$..b..n..V{...a..$..l..|....~:.s....H."....K.lK.y.|..ga.0f.C.."AQCu_.......?N....K..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):51248
                                                                                                                  Entropy (8bit):6.297269575035048
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:MNb66jeKAdzF2a11sxKN/NEQDg8vM2j7HxqW:MQ6jeKAd5b1S2/NPBU2jR
                                                                                                                  MD5:26E9CCE4BD85A1FCACBF03A8C3F3DDCA
                                                                                                                  SHA1:3F78C454CC72D4C5B2A0F295530391904EC87948
                                                                                                                  SHA-256:50F399A3867DEAB18530F8F3E72D489A15F62D6E250F4F795C7BB735F9522899
                                                                                                                  SHA-512:D57C6A799C01A3F67AFB3DDEDDDBD49ECFC17C2347BEC24ED85207A846547F6288D2023961EDCAB67DFC512E0B1DA187C475A7D01BB1005A61D337EC4FEA0FE0
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..f.........."...0.............~.... ........@.. ....................................`.................................,...O.......`...............0(........................................................... ............... ..H............text........ ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B................`.......H.......pB...p...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o ...o .....(!...*..0..........r...p... .....r...p.(.....o......(.....o.......("..........s......[o......s....%.o........o#.......s$..........s.......i.J.....%......io%.......o ...o ...(.........o&...*..('...*...0..].........~(....~(....~(........

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):973
                                                                                                                  Entropy (8bit):5.01886272205883
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:JdsVPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3s77O7Rgdsg+w3Sg+78w
                                                                                                                  MD5:3CCA9B00717A374829CA50C82C1E70CF
                                                                                                                  SHA1:357729D1CBFA36318D8A91BDC8C039E254A7CAA2
                                                                                                                  SHA-256:4161C6070CDBCB94718A6E76931AE38CABEBB70E5B00C55E799E72E61F0ECAEC
                                                                                                                  SHA-512:C172CF13115FC724799C50218F00A1055FA84DEC6B9FA28F7C981DE94D4DE64CDC7797E903D4E8B87CA2FAC535B62EB395E372656183C75F42E7086598C3C435
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.ini

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):12
                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:WhXTLd:WBTp
                                                                                                                  MD5:B1DE0EF19266A86B8F7A2BCD03ECD23B
                                                                                                                  SHA1:AB91C344BFECEF0CDB73119D4C5C72BAA8CD21E7
                                                                                                                  SHA-256:50578EB887B529FB77AFAA4F3A888ECA57E2D640F4789BBEE470F1EFF04DEB7F
                                                                                                                  SHA-512:656C69FF2C62F2704AC409AA3B04CB78B9767FE908BD0BE4C6977A469B68D7C5F83B786EE915BECF5244E70892A48A92B9D0CA9A767EA329B63A6EAD98F9F274
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:version=26.8

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):102448
                                                                                                                  Entropy (8bit):6.190977882973481
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:VPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxo:V2bYbYSWd85I5sSakFQhHL8i
                                                                                                                  MD5:6C0E7E9151E242E401EEBBC13558E3F5
                                                                                                                  SHA1:9A5963712AD9E0F336A4749E7C258A67EF6260FA
                                                                                                                  SHA-256:77D6B8CB94B6CF5B399704C3CD5877211D99FCCA58F94D120998FC41185D0E0F
                                                                                                                  SHA-512:02E5E5FA52BDA5CFF5181196C6A62913FA87D6675CBA27FBFF3D0C50F305BA4CF8D9D8C4016EDC90AB1513BA39D89B50566BFF4D05585583EF03B8AA17BEA793
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):16432
                                                                                                                  Entropy (8bit):6.857474166817892
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:w9c52LPirPW94/DNyb8E9VF6IYinAM+oCOX3lq:w9cym2KEpYinAMxCg3c
                                                                                                                  MD5:E1AA9E74F8E36783187BA548C26A1D95
                                                                                                                  SHA1:52FD9D58877986DCDDBDC5C1DAC6825C5720A4F1
                                                                                                                  SHA-256:CE46D831129B265740E521A614DE1F2BEE211F350FFC9643407C75308E1DBE06
                                                                                                                  SHA-512:B2D79FD01D4D0BC3CCFFCD62ADD4BC45BB25561892CD23299163EDA10896249F53FD966015B7655C209B33EE413C10565D51861298061E3886B43E77E59ABDB2
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.........."...0..............-... ...@....@.. ....................................`..................................,..O....@..................0(...`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........!..$............................................................0../.......................(....}......(....&(.....{....Y*..0..D.......................(....}......(....-.(.......(....s....z(.....{....Yn*..(....*.0..t.......r...pr...p...s......o.... ....(.....s......o....&s......(....vl(....o......o.....!..(....&..(....o....&.o......&...*......S..o........7..R.!....BSJB............v4.0.30319......l...T...#~..........#Strings....\...4...#US.........#GUID...........#Blo

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):542
                                                                                                                  Entropy (8bit):5.041389931890446
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                                  MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                                  SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                                  SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                                  SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):398896
                                                                                                                  Entropy (8bit):6.134467211026903
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:WjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvH:W+e55LgIkTmyAAfTnMLvH
                                                                                                                  MD5:6C03B5CEC0E3BFF6410B020CAC7EC662
                                                                                                                  SHA1:DE5C6B33A97BBF0B3063CF44DACE307FEB968BF6
                                                                                                                  SHA-256:05C2739F2AFA9A05514CD75C12BE6C0CD73A8356A28B3FAF84140FEEE416F339
                                                                                                                  SHA-512:06900ACBA446F813E8181E42A0713B5BBD568068960DD0620C4EDF0F3C096E4C8B409181AC8FC51A24F638E37F908B6212E22DB3799107B51578B6853A8E60C0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`......u.....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710192
                                                                                                                  Entropy (8bit):5.960755198774021
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:eBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUj:eBjk38WuBcAbwoA/BkjSHXP36RMGi
                                                                                                                  MD5:FA365D16F9EB02769CE0ACF75C31C832
                                                                                                                  SHA1:F83D3F502E92DAD01574D16FDE5E7CA81C53A5DB
                                                                                                                  SHA-256:63A690F6523922CB55B065764ABA61BE69F11AA93C8437C01485BCC4AC182F46
                                                                                                                  SHA-512:E26E077C0C5806B3D4E1ABBB06087D08921CF6A46FA700343AA373213180BF9EABD7822CE418E24973909A515BA5B73DD0902402020E5A4AC56D387E378C4AD8
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......n.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):18480
                                                                                                                  Entropy (8bit):6.708180254980656
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:1qPstMu7M72kNyb8E9VF6IYinAM+oCiSFDKJup:1vMuo7/EpYinAMxCbeup
                                                                                                                  MD5:C9A5D57AF074418532A591B4443AD16F
                                                                                                                  SHA1:4F99922845AF05C64B36BC71FD34468683B389D6
                                                                                                                  SHA-256:322D41E1890A28359ED05AC7C3973C2CA3532CB77F8D0646B982A76FE0A68EE0
                                                                                                                  SHA-512:461CCFF9F349E6F8BE27F50C54464CA65AEC23DF6C4DEFB5A4AB085F8239899CE88B2C0B2764020807826C92BB2F757DCF39733721595E80C2AAA5A75718D9B7
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.........."...0..............4... ...@....@.. ..............................8/....`.................................d4..O....@............... ..0(...`......,3............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......(#..............................................................6.(.....(....*...0..........s....%r...po......o......&..*....................0..%.......r!..p.s.......o.......,..o.......&..*.......................!!.......0..........r_..p(......i...r...p(....*....r...p....s.....r_..p(.....o.... ....(.....s........(....-.........o.....o.....o....(.......l&..-.s....%.o....%r...po.......L....(....o....&..&...o....,%.o....( ...-..o....(!...,..o....(".....,..o.....*....4..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):500
                                                                                                                  Entropy (8bit):5.044946190927216
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:MMHdGp2VOD9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsHPF7NhOXrRH2/d9y
                                                                                                                  MD5:5EF8C402347FEC5555700DB9D649C349
                                                                                                                  SHA1:2E70D02943060011AF38D9200B3461206F56933D
                                                                                                                  SHA-256:718459DA91EB82BD0ED8AD24CC3EABFCA61D1B5C1D9060111F85CC7D84BADCCA
                                                                                                                  SHA-512:F2650D2C604459E674810BDA95C37D3FE7747CF67B5736C4275DA91576B36F3FF882FD3F8A5F0591CDF335E935DB716BE827821333297F719C26B1152BCB4D6F
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):22064
                                                                                                                  Entropy (8bit):6.676917265704932
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqpodH3T:tuhMaVmzDC67EpYinAMxCWH3T
                                                                                                                  MD5:F2016790A63364276B5DE090FF0D9516
                                                                                                                  SHA1:C99BDCCD05A8813E6DEECCDFA0FD675FDC57A488
                                                                                                                  SHA-256:662DC69A05611BEA25F993F4D249C83340C2F468E9564CA625027A1EA9C84E9A
                                                                                                                  SHA-512:41CBB8D586AEACC6E9C156561A4C92EF30C3D50B8D4A91C2A0A41E186891C61776E102AC5DEB95A854C2241734A854320B49A0E0A05F20ECBCDB8A0F7E55980E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................\....@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):64048
                                                                                                                  Entropy (8bit):6.268502105017609
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:BYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1JEpYinAMxC7z1:BKC9niwOepJ6TJPeb6NIUy7HxUz1
                                                                                                                  MD5:9B1EA8A460CDBE957FD464E52CB74F9C
                                                                                                                  SHA1:34574DE2F45BDA8A68F49C031A80476D6E6B711F
                                                                                                                  SHA-256:41046ADC0E23A6A673C6DDD890C4B43F21A615D470886D59FC436B09B994E7A8
                                                                                                                  SHA-512:A99E6C7829C4B6994E8AFDB4538DD8954DCFF96F2C59D62FFC91DA2E833F777F870A2F55A60CADBBED97ABA0F6411D6D40DE33D295491B2AEB45CDC51D485003
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@......*.....`.................................k...O....... ...............0(... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):138288
                                                                                                                  Entropy (8bit):6.17978189203311
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:2P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlU:2h0qjC5RMOHO420kN1P
                                                                                                                  MD5:8D61BFC6E305850F082B2A4FAED267B8
                                                                                                                  SHA1:543224920E68C0C7B28C9411ECE8B9F8EAFA7DE3
                                                                                                                  SHA-256:B7EF8E721E39ACE9C8C4B4C4490AE5042634637D24DB4A70AF33D29DC4EC5C10
                                                                                                                  SHA-512:6AA0C22B6CBD1942AD74386919D8E4F0F69FF47FC97103BDAD3FE029E9137C51DAC70CDB84275AE779965E461BC992DE96028B92A3DB8F0D26B8B53A547CA09E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......t.....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):17968
                                                                                                                  Entropy (8bit):6.63676850357766
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:7TO9dQWXYW8aVNyb8E9VF6IYinAM+oCJF08IoP:7Cn6CEpYinAMxCk8jP
                                                                                                                  MD5:F6E07CB084C3B287E2D2525A597A4D0C
                                                                                                                  SHA1:E9191698963EA0613747BC24842DF8C37E6FBE84
                                                                                                                  SHA-256:D24366C19E9DFE77B7EA94546F336F20CF8F574F838F68EBB2179C6CBFE4F25A
                                                                                                                  SHA-512:5AC38F55D0045BFDB9951154E87ED30E98B200C148897E7BD3C19BEFDA634437A1EC5AA2088CE99F0E17644069EEA93E97AE1DA00DB5746C4784228FE35E1725
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ....................................@..................................1..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3210243
                                                                                                                  Entropy (8bit):7.999887694277944
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:49152:qyeQ7GbNMeXhV5aYiMjAsWRXYqV6EP6i++H9DFvxoLgF774RStxJgaFcoEoRbZK4:qvjARRoqV6ESuRFvfZ1xJgaKoEubwyv
                                                                                                                  MD5:B839D30F8183B3B4F2CDEE659C675F7B
                                                                                                                  SHA1:FA25990CCD7456F679FAC2A97A7BD5010F27E4DF
                                                                                                                  SHA-256:D7E6AC84B1533FD85C9394B1C37E14A49C0040647511783CFF0EBF0B3AAA5A6A
                                                                                                                  SHA-512:5F0AF1AEC2C5A76B87482BF7512FB504E8E94A4ED99CBB47EB69BFD4D4B82424D2FBBCE790CC1E95B92A71B35ADF61D1257E1375E95441784B509301DDBBECB9
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:PK..-......c.Y.?........../...AgentPackageTicketing/AgentPackageTicketing.exe....0........H......$.(.=.x.<..NTB9..-.%X...p?..t.S.zu.......a...sV....p..L.%.Cw..$...D...h.....p[..)..$9......\../~/......U.0uj7=..v...l..t..?...G..w.i.h.v6......9.. .gp.g........R..Wm.Q.. ........I1....o.5...%L#..Eh#.._.q. ...f...+.Pj.t.+.'......v..@..n.......s+...y.&8b.7....D..U2....l..x...7.f...E.......F.xjD..gR!C...J......+..zk.T...*.r...m.J$.....u2.....=.1....QS..6.Z`g...}(..h.:yV!s3....=..#.l...g:...l.FX....mRg). ..H.}...k.o..[.}Z....fOU&.`#......{............E.-..?.].\.nof.s/B....4.'..h.....z...BK...|..W.>.wV<....-..A79...r.C .....c..y._...yY......v.Jue...0.l...@T....Q.M......".....^.V..~..T.=..yi8.D.KK..5$.c.U*<.UapJJ.Y.^.K6.Y$...b...+N4l.I..tK.bT..[.sS.^8.j.L...c..W..>[.9d...W.....YX....s.~H.G..k.`..D.)...f.f.p.4..O....0^|....}..+.|A......M.;....Q..MJl.6.$R.yW.u.W2.cJ.}W..D.#.s.'...l.J.S,.m......D..*......d.s.8.\..^.Y...7[VzI.O..A..-q.YP.|k..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):33328
                                                                                                                  Entropy (8bit):6.289041061900196
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:Q7MUy1PkyNpWikfoGK5ydFpjJpO6iRjBMlYL4Nyb8E9VF6IYinAM+oCb9n+2h0:tUy18yHFvcVkNByYLwEpYinAMxCJnT+
                                                                                                                  MD5:38D0C4B048371940F8091F7237A4CAFC
                                                                                                                  SHA1:CB6A1AE8A140F9065B587E2E6B140A206EB9F3C5
                                                                                                                  SHA-256:B995FEC42A185DA67CDD84CECD2156D7D35624792E849B0032CD98F23E605717
                                                                                                                  SHA-512:EF3C2EAB28B55FD893B12A2DE7DB7F76BF5CC8417E2B0FF3D547439BDD96E0DCFC7E58A5E584AA12F5353A96E72F664E4E00ED422309F91499F43D9372AF1813
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(#.f.........."...0..N..........zl... ........@.. ...............................l....`.................................(l..O.......4............Z..0(...........j............................................... ............... ..H............text....L... ...N.................. ..`.rsrc...4............P..............@..@.reloc...............X..............@..B................\l......H.......@4...6...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o....o......(....*..0..........r...p... .....r...p.(.....o......(.....o.......(...........s......[o......s....%.o........o .......s!..........s.......i.......%......io".......o....o....(.........o#...*..($...*...0..t.......(.....(%...(....,.*(....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1062
                                                                                                                  Entropy (8bit):5.04288182607063
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:3sIk7O7RgdjdgFSagFw
                                                                                                                  MD5:D82D26318224097C2B13F43E879DA855
                                                                                                                  SHA1:4626369E38B4505371D1376FB9A50B401B21A7E3
                                                                                                                  SHA-256:1BE14A97E8F1FFC962C060B76FFAC47298D02680F235097CABF378EDB3EA34D6
                                                                                                                  SHA-512:5E3B09D12E5FEFB6B82DB7E19A3D856D02C683B211F18CEBABC0A6FBEA9B3E84BCFAF414C7DF043F986F78A85DB8A22D4584DCAEBE59CDC0A527D7636B31886A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):12
                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:WhXdLWn:WBdin
                                                                                                                  MD5:5728F37CFC2DC92BF43C121A6F79C5CE
                                                                                                                  SHA1:19EE8C5BB03731D56A53AB3504542DC0070D4B06
                                                                                                                  SHA-256:C32E80677BE264A32A0A2A7B4EA35FFE6FDBF6BF1DCD01D94B1B4C96019DC227
                                                                                                                  SHA-512:0A6D04D031445F09128E47B0A4A707383050FABECB1A9386F339B87BE883EF6E25D8BBCEA82BFC183EF0F050CD23B463664D03CD5F6EDCB6FE7E0B62A6A70D35
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:version=28.3

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):99376
                                                                                                                  Entropy (8bit):6.188761864201478
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:zlAttsLnppOphwrfNIkZP0kLv+ghDBzmItlVYlkL5ihaO40QhflQCxhB7Hxxtn:zoESpOPptPkW5ihaOdQhfhBXJ
                                                                                                                  MD5:326A032D0A87FAB05ED8D57D2D216051
                                                                                                                  SHA1:74B4B774C883A457096ABCD87F5E61B6039F6404
                                                                                                                  SHA-256:8D3C448F1B217283901CDA91F5F364FEB2E687EA3215C5D6A4A2B1E00023FCA5
                                                                                                                  SHA-512:AB10823C4F7D059B58763633957204D9140B5059200B9D98FC0EFC8D6DFAD9D634C825D258F733E6E2D83EFCB28B115DAFA84194542BE739575900577E99D7B4
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}KMe.........." ..0..R...........q... ........... ...............................9....`.................................<q..O.......D............\..0(...........p............................................... ............... ..H............text....Q... ...R.................. ..`.rsrc...D............T..............@..@.reloc...............Z..............@..B................pq......H........o...............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):145456
                                                                                                                  Entropy (8bit):6.2042725616704395
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:XRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhh:h9XeDmzV2yzlhKLFU1lLVp1+2flYFsE
                                                                                                                  MD5:B59260EBA8BF2EE501398BBBD612DD1B
                                                                                                                  SHA1:729E96220CF3EC844EC3F9ABFD4BD73D3512644A
                                                                                                                  SHA-256:3425CECA90571FCA7A4151BA164835EFD83E0D8BF9A5BD89C0B2176445618C03
                                                                                                                  SHA-512:FC63636CB038D8706C6C7A48F0CC22F2C38AFCA2B56454531397C56FAF20B3785768444F2E7FBB7AF38593CB65CC248ABF85B988A08B53D433E8B52A027F1ABC
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ..............................j.....`.................................#$..O....@..|...............0(...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):29232
                                                                                                                  Entropy (8bit):6.673717274940504
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:umYaXzmSJL6guJrdvc5tIZmQCaBj4QU3hOTVTDvAGvoOCcdcOFyF61Nyb8E9VF6g:uSJh5tIYQzT5zyF6REpYinAMxCWCG
                                                                                                                  MD5:22EFB61EA5916A90DC5C2723AB9681D9
                                                                                                                  SHA1:4973186A7A71762F30D23B3FD61CFC8E59F85FFF
                                                                                                                  SHA-256:E191F04F054CC31050242667997A24B2F6F03E736496E6D15F7F6C8D6BAF946B
                                                                                                                  SHA-512:CEE45AB3154ED7203D93683ECA6782A18712B9385E49536553B73F69A055B8A54D7FEA9B141868A8C3A4684FB43B96B28FA77976B80CAC262E40DBBB603DBA6B
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p;_f.........." ..0..B..........Na... ........... ..............................lC....@..................................`..S....................J..0(........................................................... ............... ..H............text...TA... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B................0a......H....... 3...-.........../.......2.........................................}.....(......}.......(..... ....(..... ....(.....(....o....*"..(....*..(....*...(.....{....,..+..+.-..{.....o....o....*...0..?.........+..o....,..+..+.-..o....o....,..+..+.-..*.o......,..+..+.-..*..0..J.........(.....(....,..+..+.-2.{.....3#.{....,..+..+.-....s....}.....(.....(....*j....$...s..........(....&*z.{....,..+..+.-..(......(....*..{....*.0...........{.....;.....(....,..+..+.-...}....*.{....,.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):219184
                                                                                                                  Entropy (8bit):6.063062247976835
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:GYq80gPJle2CpcKyudA1+PVtMG8e7sw9CcHvhlO:GYqqbe2CSod5dtM8ww7Pq
                                                                                                                  MD5:A98AF596D3B2132C2CEDBDBFF7D4CDE8
                                                                                                                  SHA1:9C89078969FFC51B3FDB250B9A4D470B3AD31226
                                                                                                                  SHA-256:D1A7528E7954A6F381392AEC0B55EA1402A40281A5039964718AAA9A17995554
                                                                                                                  SHA-512:1C13E40236D9F13151D5894C3FA91775287320AD3A18454B2FA08C841EE94ED199872BA5E6618CA885AF0A9B0BD16AB203DA4B7951ECC5E5286195077835A39F
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j;_f.........." ..0..(...........F... ........... ...................................@.................................dF..W....`...............0..0(........................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................F......H........S.......................S.......................................r...p(................s.........*...0...........o.....=3A.o......o......,..+..+.-.....o......(F.....,..+..+.:B......oK...*.o.... 7...@........o.......o.....o.....o........(F.......,..+..+.:t.....{f...,..+..+.-......-\.o........([.......~....(....,..+..+.-5.o........oF........ob.......,..+..+.-.....}f.....&......o.......o....*.o.....\3%.o.......o.......t......(......o....*.o.....]33.o.........1&.o........

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):320048
                                                                                                                  Entropy (8bit):7.04954221957778
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:eE5mx115y505H0jIfJMSFk9X0jIfJMSFk9P:5wJMykwwJMykP
                                                                                                                  MD5:E3A4251F421644537A2196F9B4CE74B6
                                                                                                                  SHA1:ACC5A07FC7D217823AEC4E990E20C1197B748E0B
                                                                                                                  SHA-256:0F17AE8969A89AD288A08F970F4D766BD5F47AE694A6CB02D27F540196633B5F
                                                                                                                  SHA-512:FF049EC12526EFF7256DC43589411333607BADB66FA6482379CFC02BA8E906804C62940076DF52A31B0FFA20C0BEDF2FE4369AF1A71523C48AFC94E70F96CC57
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...vE..........." ..0.................. ........... ....................... ............`.................................{...O.......................0(..............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........d.................P...........................................V.(......}......}....*..,..{.(..........,..p .@..(................s....(....*.~.......~....(....~.......~....(....*..0..........~.....(.....{.....{...+..(......{.....{3.~.....3..{.....p3.sA...s....%.o ...%.o!...(8...*.{.....{3"r...p.{.....{.....r...p.("...(#...*...0..$.......s$....o%...(&...o'...((......&.....*.................0..6.......r...p.().....-.r...p..w...(*.....w.....(+......&...*.*..........//..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):432
                                                                                                                  Entropy (8bit):5.0141792226861375
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                  MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                  SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                  SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                  SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):215088
                                                                                                                  Entropy (8bit):6.030762106922537
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:s1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sI:TIzm6pOIgvr7l
                                                                                                                  MD5:385C044355D41088DE87A4014830B959
                                                                                                                  SHA1:E187C86A255F9E80B8AAEADDB7D67D356268A1E3
                                                                                                                  SHA-256:5F0C27F2DBA2F48B2C66A35D3FFD412C8ADEE862A8FD4C9352C7FD350F64232D
                                                                                                                  SHA-512:D6423DBCA36C22CAF42520E7FD3CC373931F1CB5D901BE727054EB0AD2F5FE7D7D6F4853505A3D71BE19BAF9356558D10A4BC12276B2FD0C08842AA81E98C85E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................\U....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):398896
                                                                                                                  Entropy (8bit):6.134413436769306
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:LjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvR:L+e55LgIkTmyAAfTnMLvR
                                                                                                                  MD5:D9804876CD5CD235870275197E3CF20F
                                                                                                                  SHA1:35E133F32ADB18E1922A13CC9417CAFE7BDACF3C
                                                                                                                  SHA-256:67F2A80EA60040388C573BB258107187F9AEBF73C0CAC924B90EC8623F25BB98
                                                                                                                  SHA-512:9DECDE1B2D1379AAEA15FEF9C15AFED2A6662F711C9EB88A66BFD1D805495E46ADCE75C4F2A0393220CBFE2AC0B740C58C5E0DED7AB2A64F0074BF86792196E3
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`......YM....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710192
                                                                                                                  Entropy (8bit):5.960745104302858
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:dBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUE:dBjk38WuBcAbwoA/BkjSHXP36RMG1
                                                                                                                  MD5:CE0398880DF73A9988A448878A3B9956
                                                                                                                  SHA1:2826C08F760B52C04BFCEA86E332AC3F878F69AD
                                                                                                                  SHA-256:4CEB0E377C8F196CC4D4888EE54E47F382E02796236F7A72240D907A7385E66D
                                                                                                                  SHA-512:D056B7CA541AE252698DE5F6698118EB2CEFFD554C7283A5EF363181860FB476881013EAF024A353E36BC1BB9CC3B348AC4ADB1F872DD2EFB91A8202AC460B70
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......K.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):154672
                                                                                                                  Entropy (8bit):5.991123539092514
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:84wM6OoRu7qywKsqxhDuPr5xJMnOfMAw3TkHjt0QQNOWIkHUsz72otckX:84wZywKn/U5xEwKIk0W7
                                                                                                                  MD5:2BA1FCF19D603D9A0282218817DED990
                                                                                                                  SHA1:502141586ED836857CAA4C0789E31F8591CEBC19
                                                                                                                  SHA-256:6CF1638AD007E1F5B4D699FA16F5802DDC6EE849EF89F5DC9B29259B8BCA31D2
                                                                                                                  SHA-512:E18E0F9501931AF0F50840DFFF589C21870E760E87DBF4329C985764CA3F1F894D04A5A20A70CEBD3899A0DDABB80007B905F24C763B37DA5D441AAB8E9A14F5
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.b..........." ..0..*..........6&... ...`....... ..............................H+....@..................................%..O....`...............4..0(...........%..T............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................&......H............D...................$........................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. R..0 )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{....*"..}....*..(....*:.(......(....*"..(....*f.(....%-.&+.(b.....(....*..(....*"..(....*...0..%.........("...(#...($....#.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):22064
                                                                                                                  Entropy (8bit):6.6701569477433615
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:JrMdp9yXOfPfAxR5zwWvYW8avNyb8E9VF6IYinAM+oCAnu:JrMcXP6gEpYinAMxCr
                                                                                                                  MD5:36D91FF169FA7D1FBD90EC942BB8FDAB
                                                                                                                  SHA1:91941BDCE1BBEFE142A332BFF8500BD62CB484E5
                                                                                                                  SHA-256:86B21B42C25E3638B3EF60F79B9B806B080BB849FECFAAF1719E276A381BA862
                                                                                                                  SHA-512:F70F7074D8314ECBFFD5FDC83D4456AACAA82C3E50EC8B965F367F9CB121AA9E4949C2687D6BE792E9CFDB9F1B5591C632BA3326FE6CB4E9F16A64A3D605A6D3
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ..............................*.....@..................................B..O....`..@...............0(...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):420400
                                                                                                                  Entropy (8bit):6.109702755734386
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:J5douWvsWkOfjL/MEd6/7vfA8SCW1nFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFM:JpjblhW1s
                                                                                                                  MD5:C3558863CA0944E84318430B50C49A83
                                                                                                                  SHA1:19F85D03D5BA5CE72A9B4735895ED9B8203ECAF6
                                                                                                                  SHA-256:3E2A5E70ABF805FF600A830DF3B10B5A4B21C125E199E98FAFD690F9CDE49E0E
                                                                                                                  SHA-512:4F3411A94AAE00D5A1B07D434E8541C999A106A2B7EEF5E0CC18C243EA9303744FDBE20F382AB9AC1094793314B4674BE10C6D29B8CA777A816CE80C9CDFA4EA
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d.........." ..0..8...........T... ...`....... ..............................f.....`..................................T..O....`..p............B..0(..........XS............................................... ............... ..H............text... 6... ...8.................. ..`.rsrc...p....`.......:..............@..@.reloc...............@..............@..B.................T......H........X..\V.................R......................................:.(;.....}....*..{....*:.(;.....}....*..{....*...0...........~<...}.....r...p}........(.....(.....(.....r)..p.(........(u.....~<...(=...,z.....s....}.......}.......}............{............%......(>....%...D....%...!....%...%.........%....%.........s....(B...*vra..p.(....,...}....*..}....*..{....*vr...p.(....,...}....*..}....*..{....*z.{....,......(>...o?...s@...z*.0..(........{....-..(......o....&....(j

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):142384
                                                                                                                  Entropy (8bit):6.161674239036169
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:/UGrszKKLBFa9DvrJGeesIf3afNs2AldfIQO:mBFd3/aFs2D
                                                                                                                  MD5:3D209DBC9D069C694A7E039879680094
                                                                                                                  SHA1:CD98879414BA2D550B90B4EC21FDC93896BB43D4
                                                                                                                  SHA-256:BF972E77F57572F4A5DE66B3AA60125113F6775349CC64F657FF0FD3A3D1E269
                                                                                                                  SHA-512:DCCCDCAD553D7AFA11BE2DB2BF1C057BF9CA299FEAAC7F4370BA6735865039333CCFD14B429EE9B2954F8886937C75D3B5004B9EE22A91CE5FC49B0EE1BE55A9
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`............@.................................X...O.... ..0...............0(...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):110128
                                                                                                                  Entropy (8bit):5.511843221988224
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:8POw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/i7HxEC:8Ww0SUUKBM8aOUiiGw7qa9tK/i6C
                                                                                                                  MD5:DD336332F203D21CB6CB7945751FBE89
                                                                                                                  SHA1:3708A5CAFA56CD73177A66BC9819B28E1392F08E
                                                                                                                  SHA-256:BCF272E768CDC50177A021E3D6C6ED84C168500C99F21831C7AAB16490720E51
                                                                                                                  SHA-512:9ED6DED44DDA2CEA46D05E8DD91E255984B3B044692767B1320028EFF257DEBC5BF70805913D30F86667E1FBE9F37387E4BE75A491967D00484B80691989DE90
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................'.....@.................................f...O.......................0(.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):17968
                                                                                                                  Entropy (8bit):6.674184000106668
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:th06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBTnh2:ty9eEpYinAMxCAbc
                                                                                                                  MD5:1A61E7ACC0FEA379E6645ACA0FA2A25E
                                                                                                                  SHA1:91170B0DE0B2188D87ECB65FAB09DEC5876D9077
                                                                                                                  SHA-256:926BBDCA5CF52A735B1CAD532CBF5956E22D6260B75164879B77099998B86497
                                                                                                                  SHA-512:80F429A373F3649E52C0B02BB5A9F8879EBC4BAC2F11463E7A394353D110D7D17C180964AF88D3A664BA1D685730D933630848B8F65CBC14AD22A1A69C860D8F
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................:.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):19504
                                                                                                                  Entropy (8bit):6.527038388961906
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:lyPa16oAL4D+wW9IWmDIW4IWYDcNyb8E9VF6IYinAM+oCFOTd8r:lWs6oqDjADKeD8EpYinAMxCWi
                                                                                                                  MD5:88AF2FFBB26FEFF7F1CAF611E4FA9698
                                                                                                                  SHA1:7B4C260F8941741F59C319B6FB8A4FC244C9E30F
                                                                                                                  SHA-256:4289FCB6073203CEF6F95A9F32DB1126BC1468F59B78FD8A1322C2138BF2F13B
                                                                                                                  SHA-512:E41E8DEBD6856809084801DAD147AE5D6C9E7A70CA11BFB59768639979460480421F15DFC85F2B61D97993208A0925C4AB035EF8886D6548FA99C4453C6B84E1
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ....................................@..................................2..O....@...............$..0(...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):41520
                                                                                                                  Entropy (8bit):6.409405329775532
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:vj+Aw5tisJ7Mkvwtwq6uUQ/B0X5tl9wCVjkz3pVS3Upoztjq3Nyb8E9VF6IYinA/:vtsJ74GX7nwOa5VS2ozdq7EpYinAMxCV
                                                                                                                  MD5:4E960631A047F95AF097A93B5872D084
                                                                                                                  SHA1:42D5CF222C7783B52AE36A8CBA647D6C97A99A2B
                                                                                                                  SHA-256:9A945E3071D8FAC99AEED5080BAD1B72397706A73BBAD0EA68FE4A1DA4740A5F
                                                                                                                  SHA-512:DCCAEC5492207B6A7E39067DC8B80C57A3AA4108837DA7B89220EEE2F8C6F634626FECCADBAE9199065A5940D8CE1A139B9C1724D0B495003596EB145710C30E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'#.f.........."...0..n..........r.... ........@.. ...................................`................................. ...O....................z..0(.......................................................... ............... ..H............text...xm... ...n.................. ..`.rsrc................p..............@..@.reloc...............x..............@..B................T.......H........!...............1..@Z............................................(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....rY..p~....o....t....*.~....*..(....*Vs....(....t.........*.(.....(....(......,....s....o....*(....*.0..........(....o ...rm..p(!...(".....'...%.. .o#......i./..|s$......)...(.......(%....)...o&.......o'......i.0..+....o(......i.0..+....o)......i....+....o*...s+....o,.....,..(-.....&..*..................0..........(.... ....`(/.....&.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1547
                                                                                                                  Entropy (8bit):5.008195800038022
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                  MD5:029F543956E8B235A70112C77912150A
                                                                                                                  SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                  SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                  SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):78896
                                                                                                                  Entropy (8bit):6.052046545846071
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:++0FipdqO3rVJGdOVZKUNcbW1yX+7HxF4:bvzq3d2KUNcbWYX+L4
                                                                                                                  MD5:6C489D6252F194769ED442959994FFF3
                                                                                                                  SHA1:40CA92AC44571218DE6D9EF2F68A6D2D58236A63
                                                                                                                  SHA-256:BF95E3F11A6E5D235A50DB549F6787CCEDAAF826BC5789857CCB7E06974928B3
                                                                                                                  SHA-512:D2938834679DE3E13743B9F9573E321887957560B2CD6411ADAA3AC52AE7C98BE33C7B6E271AC59DCA7F680E3EF8455FDE7502A51411A8F77C9CFAC28A954EED
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:............" ..0..............!... ...@....... ....................................`.................................. ..O....@..................0(...`......$ ..8............................................ ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................!......H.......PX...............................................................0..........(....(.....r...p... .....r...p..(......o......(.....o......(.....o..........s......[o......s....%.o........o .....s!..........s"...%......io#...o$.....o%...(&.........,...o'......*......y.,........0..........(....(.....r...p... .....r...p..(......o......(.....o.......((.........s......[o......s....%.o........o).......s*..........s"......i.j...........io+.....(.........o,.........,...o'......*.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):953
                                                                                                                  Entropy (8bit):4.9874198404771155
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:JduPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:327O7RgdjdgFSagFw
                                                                                                                  MD5:8C9F9547ABA4CD154FAA858695986C4E
                                                                                                                  SHA1:667630B8AEA31C20C20EE569983B73028F0DBA21
                                                                                                                  SHA-256:7DE06E53089587194D3669B5F2050B363CC2AC1BC66F0537EC4D7AD94357D46F
                                                                                                                  SHA-512:C305E923A197E2C39813D423FE50D94F183E932BCC66DBEE5667AD7F4083254D50510E35ED3603555FEB4C42F580C8A1FA3D1568CC7305D22B79AB406607F836
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):349232
                                                                                                                  Entropy (8bit):2.8915712901156754
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:WuwQVufSb/jb51EH8VAynnnnnnnnnnnnnnnwjg:WuL5t
                                                                                                                  MD5:A1EFAFE8DEA038AD50F262276E29EA9A
                                                                                                                  SHA1:3BA2B3AE17810F45DD432A6646128647603ECDF4
                                                                                                                  SHA-256:A454468B4478BB4F7AD6954493C7D447ABA553ABDAA7C48AE9BB607AEB1CBC5A
                                                                                                                  SHA-512:C22566F95870B3E62FDE914BA343B91CC76B4964BE0C08D15A4A16C6FBA2856DA07E6D639A709CCDA4A140475F7C45E4167343FBDEB1ACCC6F273778D6838F0A
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(#.f.........."...0......d........... ........@.. ....................................`.....................................O........a...........,..0(..........P................................................ ............... ..H............text........ ...................... ..`.rsrc....a.......b..................@..@.reloc...............*..............@..B........................H........(..H"...........J..`............................................0..*.........,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.........(....,.(....+*(.........(......,..(.... ....(....+.....s.........(.... ....`(......&..(....,.....(.....(.....(...........s....(....(....%(....( ...s!........~....("....>..rA..p(....(#...($...rU..p(%...re..p.%-.&.+.o&...('...((.....*.........................>....Js)...%rq..p.o*...*..0..w.......(+...%-.&.+.(...+%-.&.+$~....%-.&~..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe.config (copy)

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1547
                                                                                                                  Entropy (8bit):5.008195800038022
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                  MD5:029F543956E8B235A70112C77912150A
                                                                                                                  SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                  SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                  SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):349232
                                                                                                                  Entropy (8bit):2.8915712901156754
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:WuwQVufSb/jb51EH8VAynnnnnnnnnnnnnnnwjg:WuL5t
                                                                                                                  MD5:A1EFAFE8DEA038AD50F262276E29EA9A
                                                                                                                  SHA1:3BA2B3AE17810F45DD432A6646128647603ECDF4
                                                                                                                  SHA-256:A454468B4478BB4F7AD6954493C7D447ABA553ABDAA7C48AE9BB607AEB1CBC5A
                                                                                                                  SHA-512:C22566F95870B3E62FDE914BA343B91CC76B4964BE0C08D15A4A16C6FBA2856DA07E6D639A709CCDA4A140475F7C45E4167343FBDEB1ACCC6F273778D6838F0A
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(#.f.........."...0......d........... ........@.. ....................................`.....................................O........a...........,..0(..........P................................................ ............... ..H............text........ ...................... ..`.rsrc....a.......b..................@..@.reloc...............*..............@..B........................H........(..H"...........J..`............................................0..*.........,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.........(....,.(....+*(.........(......,..(.... ....(....+.....s.........(.... ....`(......&..(....,.....(.....(.....(...........s....(....(....%(....( ...s!........~....("....>..rA..p(....(#...($...rU..p(%...re..p.%-.&.+.o&...('...((.....*.........................>....Js)...%rq..p.o*...*..0..w.......(+...%-.&.+.(...+%-.&.+$~....%-.&~..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1547
                                                                                                                  Entropy (8bit):5.008195800038022
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                  MD5:029F543956E8B235A70112C77912150A
                                                                                                                  SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                  SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                  SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):59440
                                                                                                                  Entropy (8bit):6.136424212220112
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:LXZF2u4+tuH4aPLEdUEaHLB2W0eUb16dk+CXdNTjRS8EeK6EpYinAMxCUlp:LpF4OyX4d2LPibMBCzXRfEN77Hx5P
                                                                                                                  MD5:5F5CBE4D68FB5D542EE020A9ACF96C67
                                                                                                                  SHA1:1933D32A8E06FFB6462C966E165B3DC332EA9EE0
                                                                                                                  SHA-256:E12133970720F11520242052B68E609BA43940EC7811E7BB4D403F5526291152
                                                                                                                  SHA-512:2C2049DF214843E7C015453E959522D60151F4E2A36453ED453EB0DD477598968ECBEB1118D9A25A0675E25387E4C7001394C904E6D7A16072320503A6C00D23
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M............" ..0.................. ........... ....................... ......Z.....`.................................Q...O.......................0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........X...}............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..s....}.....s....}.....(......o8...(...+}....*..0...........{....o.....8......(.....s.......}D.....u....}C....{C...,........s....(....&+ms.......}F.....u....}E....{E...,........s....(....&+8s.........}H......u....}G.....{G...,.........s....(....&..(....:J.............o.....*.................0..I........{....o.....{....o.....+...(

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1191
                                                                                                                  Entropy (8bit):4.971943087661362
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:JduPF7NhOXrRH2/dVQ7uH2/FVxlPH2/FV0PH2/+w39y:327O7RgdSagFjdgFsg+w3w
                                                                                                                  MD5:B8E88B1C181AFEB535BFEA1155000E8E
                                                                                                                  SHA1:EB9066E96542DCE5F35DBF2F1424FD79ACEBB65F
                                                                                                                  SHA-256:5D094CC46FED5173A2B1BE4C8E5DBDB658D2C14ABD367C47DFC6F6EABD5F295C
                                                                                                                  SHA-512:58459651D3358FDDD4114AB569786A2306338C08D27D3D449BE2084EAE9D4A619C5650D3699DCA6702AEFDE8F9E77FD9E56C87EF51D4A8CCB2A22A378C488C37
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):23088
                                                                                                                  Entropy (8bit):6.500492768778087
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:cLOGTOwM15TRwLm6orgNyb8E9VF6IYinAM+oCyyx31:cnMTR0PaYEpYinAMxCz1
                                                                                                                  MD5:4C2F50A98A0920EAFBCE911449143306
                                                                                                                  SHA1:57C569E0BC70BEDE8ED12971ABB983707E697933
                                                                                                                  SHA-256:B5B971A99D8B1B12D50FC3500438B14DBE52F6868E32746BC81EDA968191BCE8
                                                                                                                  SHA-512:4EAC7DDE34F4B819C202E0F7C2D190E118CD775F2E9BB1C60252C781B63EAA57BBB9A756AC4F33986BD0EB0C7EE1EEB5FE67984A9A39BE2DD23EF8AA28FBFC31
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.\.........." ..0..(...........G... ...`....... ...............................d....`..................................F..O....`..L............2..0(...........E............................................... ............... ..H............text...4'... ...(.................. ..`.rsrc...L....`.......*..............@..@.reloc...............0..............@..B.................G......H........)..$............................................................~....*.......**...(.....*...0...........~.....o......,..~.....o......+i.s(...%.o.....%.o.....%.o.....%.o.....%.o....o ....%.o....o"....%.o....o$....%.o....o&.....~......o........+..*..0............(.......o....o.......o%...o................o!......(....}.......o!......(....}.......o!......(.....o#.......(....X}.......o!......(.....o#.......(....X}..............s..........%..o.....#....%........o ...&*...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1817648
                                                                                                                  Entropy (8bit):6.5514063134954625
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:H9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkPV:H9Nzm31PMoV
                                                                                                                  MD5:600DF4415CBA2D61CF262E235F32C4C6
                                                                                                                  SHA1:136C9AE5C18A7EFBC1BB2FE862811706E7300879
                                                                                                                  SHA-256:41EF86FC555B35230DC3E376C7E36C161E2E003EB64A80E1567FFE20CBDFFDE9
                                                                                                                  SHA-512:5E51C6B66D139B5D4DB29A383FC659A628DDA1118B1EA71AF1E83B94CE463914A0060899838E02BB96004E6E40881E9A0F6E5E612A0369B7831F40526D4F054D
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." ................................................................W.....`.................................................P...x................!......0(...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1436208
                                                                                                                  Entropy (8bit):6.781423378705323
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24576:cs5ThI+vIjDEzn7tcBGtYnxLbdVlRdouD5RawYkGq78Yr4i9YE1tOvhefHXCvEsV:DlI+vIjE7mjOuKa8Riy+gvhaIn2+0q
                                                                                                                  MD5:182F0F1D9A8D576391772A6FB9CE8677
                                                                                                                  SHA1:5656C9ED06C2E0F37CCF65B7D48AAAFF48368DFC
                                                                                                                  SHA-256:07F889E811F98CEA05BBE4D66B70E89E80EE0E1796415B9E89D8C20843F553D0
                                                                                                                  SHA-512:39AC646B10EE2F835703D55FC14A92B6E23521A6FE7A6DE67240B351B0123699F2DDC84548372042552564A488200C0F1ED87435B64DA3E1C73E9D379841FB1E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..{2..(2..(2..(.*W(...(.*U(...(.*T(...(..)%..(..)'..(..)=..(.Im(:..(,.5(1..(2..(...(..)3..(..)3..(..Y(3..(..)3..(Rich2..(........PE..L.....d...........!.....f...X............................................................@.........................P...t.......x....`..................0(...p..X...@...p...............................@...............H............................text....d.......f.................. ..`.rdata..............j..............@..@.data....8.......,..................@....gfids.......P.......&..............@..@.rsrc........`.......(..............@..@.reloc..X....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):582537
                                                                                                                  Entropy (8bit):7.999529358280024
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:12288:jFWPADWqxzsjJ/91r5+50BxeCMJuzjFxI5RWV7ZK5j:E8WQzz50Bxel0jzZU
                                                                                                                  MD5:8C3A8B04727329AE1B41873E81F360ED
                                                                                                                  SHA1:EF4647DAB3A94EF49769FC35DED7C9DD2E506A8F
                                                                                                                  SHA-256:EF5E5D94D5EACDCEDE92FB99FC3439EDD44FE53E352ABE058FBB46E43066AB6D
                                                                                                                  SHA-512:A47D96A9C97C6C6A5972182C5797C0B1B6A15B9DC7017CFE7798061540C5C686426473BA502B2949D0AA16547D92758E735BCF8CDA1C09A0326B14479239A6BB
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:PK..-.....!gqX..*........5...AgentPackageUpgradeAgent/AgentPackageUpgradeAgent.exe....0........a......e......C..\....#U....w.R(..xp.sg..,.N....D...m..5T.ur@.....xt$..A.x......J!..9...32F3.:@1>(...{;..,R7w%..T,<..d..R.......m.....u>..F.G...+.`@|..v.VL....4..7..e.u..w[.6.;.g...Y.4.x.LZ3......~......2.cK{....h..0.]3.4i...[.z%.o..~/.....3.....1....i.L..Yy..C..=.......t../..W.R...z.2...%./..>.......~,..j...|.i...95.A.O.. .p.P.YD.(.Z...:5kh]....:z..J.q...rO..I.l..d.?f+7..E...Eu..o..w......l..&.)..I.K....%8.f...)F_u.8.d...U....K,@..}..PD!..M1.Xm.G...:...?i!A.R....rE....suo.....{sC..+.a.......d..4.qf.3%.v64.....P...I..O.7...8..h..........Z..N...+.I.t..^p.......B.p..@.".D.+..#7..lr.$...NX.n.........g...F..e.L;..NIE%.......`.....1...K.H_.Xm....=_IO.b..m....2.u...ho ........:Fs-{......v..'...0LgGvIi_...%..[i.8....r..<.L.4...=.@...kS"NK.R@"X...+..9..Z...".....@..8|<.z...N..../j.Ns={.......xd.G..#F8.ei . .e...s.g.....fW..y....U..#.d.........z..i..D.....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):52272
                                                                                                                  Entropy (8bit):5.836724024105667
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:ExCQ5h7KT77yxeqGLQOFfxicft9w56PzePEpYinAMxC6:ICQ5hGP7T3kSBft9w56P6o7Hxd
                                                                                                                  MD5:6095B43FA565DA44E7A818CFB4BACBA2
                                                                                                                  SHA1:0613CAB68FFB3903A18ED5F4967D52B4815D2499
                                                                                                                  SHA-256:9FBC99E85F5FA709D0D21854D4FE1FD420C7DEC8EC1F7105BE74EEB282EFFC8C
                                                                                                                  SHA-512:D0A27917F420968355AF04D572D597F83D8011A86E9C32546C0A7BE493556AE0618894DDA04CADC935A16264D7685823425D1E57F1A0873F0119A74664F88956
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._..e.........."...0.............6.... ........@.. ..............................Q.....`....................................O.......x...............0(........................................................... ............... ..H............text...<.... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B........................H.......\M..Ph...........................................................0..Y........o.......+C......o......r...p.o....t%...r...p(....,.........,..o.......&....X....i2..*..*...........$;..........8G.......0..#.......~....r/..po.......(....}.....{....(....,.rw..ps....z..{....o......r...p.o.......r...p.o....t%...}.....{.....(....,..r...p..o......}......}.....r...po.......r...p.o....t%...}.....{.....(....,..r...p..o......}......}.......,..o.........5.,..o......,..o......,..o....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):535
                                                                                                                  Entropy (8bit):5.076084597400077
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:MMHdG3VO3rdZRLNFF7ap+5v5OXrRf/2//FicYo4xm:JdfrdDPF7NhOXrRH2/d9r
                                                                                                                  MD5:D505E3DE03F172FA2B246E210054C5F7
                                                                                                                  SHA1:F5A480F56F760EEBA3B29108387E54D70A721127
                                                                                                                  SHA-256:A568F933F09B1AD1EE5E88DDCFFA1FE5921D18B73477136E1FAEE55F2BEF399A
                                                                                                                  SHA-512:80F01447B43525DBDF5B283522FE14D9AECEF16E55EA3FE36DC0A94B53C49E03BB56136F0911C348FB78FB5AF6112B1DE7C38CBFFBD73ACB2971655EF1B2B859
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.ini

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):12
                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:WhXTLd:WBTp
                                                                                                                  MD5:B1DE0EF19266A86B8F7A2BCD03ECD23B
                                                                                                                  SHA1:AB91C344BFECEF0CDB73119D4C5C72BAA8CD21E7
                                                                                                                  SHA-256:50578EB887B529FB77AFAA4F3A888ECA57E2D640F4789BBEE470F1EFF04DEB7F
                                                                                                                  SHA-512:656C69FF2C62F2704AC409AA3B04CB78B9767FE908BD0BE4C6977A469B68D7C5F83B786EE915BECF5244E70892A48A92B9D0CA9A767EA329B63A6EAD98F9F274
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:version=26.8

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):96816
                                                                                                                  Entropy (8bit):6.180127833270033
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:ZJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxw1:ZQUm2H5KTfOLgxFJjE50vksVUfPvCY
                                                                                                                  MD5:F8FE512BC57CBF44998221FD3C5944F4
                                                                                                                  SHA1:7AAC2422B394A66FDAFA69B63CFF174ACCA1C867
                                                                                                                  SHA-256:5D8527636659FAFA79AEB46A6C235C9C302EBEDF08196700C38C6592A404F71F
                                                                                                                  SHA-512:AB5BCE24D24F441438A7DFD3E525511DFA2A865EC93BC39F25B5DD46E99EECEC8D2A0FB181BCBBD99D71F366FB00A47751B41A5926AA1031ACE905E453982E65
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):186416
                                                                                                                  Entropy (8bit):5.93420260026271
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:+kfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyFeJ:o+c7b1W4R6joxfQ8Q
                                                                                                                  MD5:A22369218A10056E810C621DB7F390CF
                                                                                                                  SHA1:17B681E178D96185987EFBF578DFD340A5FBF356
                                                                                                                  SHA-256:987534702FC690CFB0C8B21691C91FF42268FD21C27925D93F0F788FBE03EE80
                                                                                                                  SHA-512:6D49C50DF7599799902C7544C6B60300B8C2736719C408E828306ED7839EAC63AD5FC003E5FCA0F25623FBBED7244E0BE4F5EC2D7C6C529C53944603088B61E2
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ....................................@.................................,...O.......................0(........................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):331824
                                                                                                                  Entropy (8bit):6.169000089371824
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:QBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNT6:QDMUWITZznu85k8Wdn8KmCjIFi3VvG
                                                                                                                  MD5:DDA5C3CE3FDBDD8A7EE32FD4C52E1A7A
                                                                                                                  SHA1:8C01C9943BDBA54ED58FA308408AB5961647FF03
                                                                                                                  SHA-256:42DBAE4DC463C840A39C9DC5A0DB218C565013EAF08CE2340DF78E1F83A3F0CC
                                                                                                                  SHA-512:4C10E61D86F3822FFEFFDA55B0A0C6063C1AEDB9AF200A5747CA4F84754C396D88ECDCF25F54834EDCCDF303AFDAF6FF25116445C381AB77190A78AE3C286136
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@.......i....@.....................................O.......................0(... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710192
                                                                                                                  Entropy (8bit):5.960836949197253
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:0Bja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUG:0Bjk38WuBcAbwoA/BkjSHXP36RMGj
                                                                                                                  MD5:9B18B6E518E2088BC98D77C3ED163319
                                                                                                                  SHA1:4F6C785597BBAB2BCAFE0527E99F2271D334B628
                                                                                                                  SHA-256:ABBD5647F1F025E7D0B1148E909B3CE9D9CFEA3B737B156889C0EE33F4C42C92
                                                                                                                  SHA-512:A2EA7FD06834A047AE64CDFA762CD55A8BC486912933E254EA565E1294C75CFA24DB66990C87881B05156F5549FC7E695E2439E736B7435EF8FABE7B36A5EF51
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):55856
                                                                                                                  Entropy (8bit):6.238978848951217
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:hREoc0f5k1KlLoz0WOySMEpnSO7iX16UJKdiYpBEpYinAMxCWLg:hR8+5k15z0WBZEtgwJq7Hx3U
                                                                                                                  MD5:DFFF197E97490BB88ACF7EBB14870A4C
                                                                                                                  SHA1:F355204DCB7F9045A91F3C6E20AB9D54C42A1B6C
                                                                                                                  SHA-256:65AA35A36E77421CAAE591068E7C3AD23E1DFE3D51D5FBF39F8F308B4F19970E
                                                                                                                  SHA-512:6F450AE14BC9EE67D99E894CD1F256F7D6885D03C8BEC8AD449F26B0D2FA64036763432BBF69D5887C7053E7BF5B2EFC4030C584731054B5FF4F6EB335C16C15
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<V.........." ..0.................. .........c. ....................... ......J>....`.................................P...O.......H...............0(........................................................... ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........".................."..P............................................................................................0.......................0.......................................................................................0...............0...................................................................................................0...............0...................................................0...............0..........................................

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):602672
                                                                                                                  Entropy (8bit):6.145404526272746
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                  MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                  SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                  SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                  SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):73264
                                                                                                                  Entropy (8bit):5.954475034553661
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                  MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                  SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                  SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                  SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):753
                                                                                                                  Entropy (8bit):4.853078320826549
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                  MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                  SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                  SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                  SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallState

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):7466
                                                                                                                  Entropy (8bit):5.1606801095705865
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                  MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                  SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                  SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                  SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):145968
                                                                                                                  Entropy (8bit):5.874150428357998
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                  MD5:477293F80461713D51A98A24023D45E8
                                                                                                                  SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                  SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                  SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1442
                                                                                                                  Entropy (8bit):5.076953226383825
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                  MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                  SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                  SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                  SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3318832
                                                                                                                  Entropy (8bit):6.534876879948643
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                  MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                  SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                  SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                  SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):215088
                                                                                                                  Entropy (8bit):6.030864151731967
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                  MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                  SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                  SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                  SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710192
                                                                                                                  Entropy (8bit):5.96048066969898
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                  MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                  SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                  SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                  SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):602672
                                                                                                                  Entropy (8bit):6.145404526272746
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                  MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                  SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                  SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                  SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):73264
                                                                                                                  Entropy (8bit):5.954475034553661
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                  MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                  SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                  SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                  SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\log.txt

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                  File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):251
                                                                                                                  Entropy (8bit):5.14562119598479
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:A0Yqa5LKFKui4QluiKFHnFSLRg42VVFm3KQPETwoyePVzFTfg2D2GQOTVzFDGg2L:AFqac8HpKFSQ7m3BcTnFpDBFDgDX
                                                                                                                  MD5:7872FF017D26DAC27EF4E302010C0F9E
                                                                                                                  SHA1:A5813CBA90D35250ABFE6113E83EA703E1A96C8E
                                                                                                                  SHA-256:9010C4003DDA7F8323D90F692E7F76EDA7419F497D078285E6B771F95971A27F
                                                                                                                  SHA-512:6DB921CD1998490BF7A2863F9B2584F54B305D29375B8C1874C9342485C23277931F5919FEC9EB030D76F4A8E4754CF5F6DF3F069E7E0CD4C9CB154832167072
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:/i /IntegratorLogin=daniteixeiraca@gmail.com /CompanyId=4 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000GIFLyIAP /AgentId=7a7e43f1-0afc-4f50-8c61-339131846a69.05/09/2024 11:23:14 Trace Starting..05/09/2024 11:23:26 Trace Starting..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\inprocmessaging\trayProcessMessages.json

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):178
                                                                                                                  Entropy (8bit):5.264262289406411
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:5PbTsPsxOVfy2V6SD+baI6UgMHDxZfHPTsPkK7TEfrsf3J2MzqRI+OPkvOy:RbT+fn2ZRgMHDzfLlj25rmRcfy
                                                                                                                  MD5:F07DEF955C0D995EEF2A1F00B31621EC
                                                                                                                  SHA1:C5AFCCCAF900259C55E8B1D08E8BB468252B7C89
                                                                                                                  SHA-256:6B0EEF9F0BBA351269757EE49A34031FAE0034647F7568DDE90471B39DF25420
                                                                                                                  SHA-512:33D7D5DBA1A413A938713830056C8DBD96FDAD2D887FA42CDD507F3FA8AC94DDF2C1CD56D36BF64548A38649EF8AED6841CB0F88D4ECE91794D2C0EE8E3FC8A1
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:eyJJZCI6IjI5ZjM2ZGY5LTNmMzEtNDQ3ZS05YWU3LTJjODE3NjhhYWVhMCIsIkNyZWF0ZWQiOiIyMDI0LTA5LTA1VDExOjI0OjA4LjQxOTc5NjMtMDQ6MDAiLCJNZXNzYWdlIjoiX0lOSVRfIiwiVGltZW91dCI6IjAwOjAxOjAwIn0=..

                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):251
                                                                                                                  Entropy (8bit):5.14562119598479
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:A0Yqa5LKFKui4QluiKFHnFSLRg42VVFm3KQPETwoyePVzFTfg2D2GQOTVzFDGg2L:AFqac8HpKFSQ7m3BcTnFpDBFDgDX
                                                                                                                  MD5:7872FF017D26DAC27EF4E302010C0F9E
                                                                                                                  SHA1:A5813CBA90D35250ABFE6113E83EA703E1A96C8E
                                                                                                                  SHA-256:9010C4003DDA7F8323D90F692E7F76EDA7419F497D078285E6B771F95971A27F
                                                                                                                  SHA-512:6DB921CD1998490BF7A2863F9B2584F54B305D29375B8C1874C9342485C23277931F5919FEC9EB030D76F4A8E4754CF5F6DF3F069E7E0CD4C9CB154832167072
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:/i /IntegratorLogin=daniteixeiraca@gmail.com /CompanyId=4 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000GIFLyIAP /AgentId=7a7e43f1-0afc-4f50-8c61-339131846a69.05/09/2024 11:23:14 Trace Starting..05/09/2024 11:23:26 Trace Starting..

                                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):145968
                                                                                                                  Entropy (8bit):5.874150428357998
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                  MD5:477293F80461713D51A98A24023D45E8
                                                                                                                  SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                  SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                  SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1442
                                                                                                                  Entropy (8bit):5.076953226383825
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                  MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                  SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                  SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                  SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):3318832
                                                                                                                  Entropy (8bit):6.534876879948643
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                  MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                  SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                  SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                  SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):215088
                                                                                                                  Entropy (8bit):6.030864151731967
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                  MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                  SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                  SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                  SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):710192
                                                                                                                  Entropy (8bit):5.96048066969898
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                  MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                  SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                  SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                  SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):602672
                                                                                                                  Entropy (8bit):6.145404526272746
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                  MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                  SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                  SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                  SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):73264
                                                                                                                  Entropy (8bit):5.954475034553661
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                  MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                  SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                  SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                  SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:CSV text
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2402
                                                                                                                  Entropy (8bit):5.362731083469072
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                  MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                  SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                  SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                  SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:CSV text
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):651
                                                                                                                  Entropy (8bit):5.343677015075984
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                  MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                  SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                  SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                  SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                  C:\Windows\Installer\42b8bf.msi

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2994176
                                                                                                                  Entropy (8bit):7.878671241504918
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:P+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:P+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                  MD5:305302B116CF1AFFD6662385B845FAD7
                                                                                                                  SHA1:DE4D88C3F376F749B21A8EEB572A80BC481637B0
                                                                                                                  SHA-256:FAB822CC1D5B10A959DE748250BADB0F1244964942814046B74C41B8887C8C00
                                                                                                                  SHA-512:A43452440D5B37176BBA6E61C5C58E33DCF881C08CD7275826E6213BB8A39EFDFF2DEF3E95770C41CE1445692D55CB8665C0FD00D77808EC99574BA17624725A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\42b8c1.msi

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2994176
                                                                                                                  Entropy (8bit):7.878671241504918
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:P+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:P+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                  MD5:305302B116CF1AFFD6662385B845FAD7
                                                                                                                  SHA1:DE4D88C3F376F749B21A8EEB572A80BC481637B0
                                                                                                                  SHA-256:FAB822CC1D5B10A959DE748250BADB0F1244964942814046B74C41B8887C8C00
                                                                                                                  SHA-512:A43452440D5B37176BBA6E61C5C58E33DCF881C08CD7275826E6213BB8A39EFDFF2DEF3E95770C41CE1445692D55CB8665C0FD00D77808EC99574BA17624725A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\42b8c2.msi

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2994176
                                                                                                                  Entropy (8bit):7.878630966889847
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                  MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                  SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                  SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                  SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\42b8ce.msi

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2994176
                                                                                                                  Entropy (8bit):7.878630966889847
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                  MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                  SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                  SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                  SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSIB567.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):521954
                                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSIB567.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):25600
                                                                                                                  Entropy (8bit):5.009968638752024
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                  MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                  SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                  SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                  SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIB567.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIB567.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                  C:\Windows\Installer\MSIB567.tmp-\CustomAction.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1538
                                                                                                                  Entropy (8bit):4.735670966653348
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                  MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                  SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                  SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                  SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                  C:\Windows\Installer\MSIB567.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):184240
                                                                                                                  Entropy (8bit):5.876033362692288
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                  MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                  SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                  SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                  SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSIB567.tmp-\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):711952
                                                                                                                  Entropy (8bit):5.96669864901384
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                  MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                  SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                  SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                  SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Windows\Installer\MSIB567.tmp-\System.Management.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):61448
                                                                                                                  Entropy (8bit):6.332072334718381
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                  MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                  SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                  SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                  SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                  C:\Windows\Installer\MSIBA36.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):521954
                                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSIBA36.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):25600
                                                                                                                  Entropy (8bit):5.009968638752024
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                  MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                  SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                  SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                  SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIBA36.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIBA36.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIBA36.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                  C:\Windows\Installer\MSIBA36.tmp-\CustomAction.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1538
                                                                                                                  Entropy (8bit):4.735670966653348
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                  MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                  SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                  SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                  SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                  C:\Windows\Installer\MSIBA36.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):184240
                                                                                                                  Entropy (8bit):5.876033362692288
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                  MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                  SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                  SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                  SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSIBA36.tmp-\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):711952
                                                                                                                  Entropy (8bit):5.96669864901384
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                  MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                  SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                  SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                  SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Windows\Installer\MSIBA36.tmp-\System.Management.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):61448
                                                                                                                  Entropy (8bit):6.332072334718381
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                  MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                  SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                  SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                  SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                  C:\Windows\Installer\MSIBC8C.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):521954
                                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSIBCE7.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):521954
                                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSIBCE7.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):25600
                                                                                                                  Entropy (8bit):5.009968638752024
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                  MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                  SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                  SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                  SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIBCE7.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                  C:\Windows\Installer\MSIBCE7.tmp-\CustomAction.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1538
                                                                                                                  Entropy (8bit):4.735670966653348
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                  MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                  SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                  SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                  SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                  C:\Windows\Installer\MSIBCE7.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):184240
                                                                                                                  Entropy (8bit):5.876033362692288
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                  MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                  SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                  SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                  SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSIBCE7.tmp-\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):711952
                                                                                                                  Entropy (8bit):5.96669864901384
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                  MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                  SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                  SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                  SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Windows\Installer\MSIBCE7.tmp-\System.Management.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):61448
                                                                                                                  Entropy (8bit):6.332072334718381
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                  MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                  SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                  SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                  SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                  C:\Windows\Installer\MSIC519.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):521954
                                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSICC98.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):521954
                                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSICC98.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):25600
                                                                                                                  Entropy (8bit):5.009968638752024
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                  MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                  SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                  SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                  SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSICC98.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                  C:\Windows\Installer\MSICC98.tmp-\CustomAction.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1538
                                                                                                                  Entropy (8bit):4.735670966653348
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                  MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                  SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                  SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                  SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                  C:\Windows\Installer\MSICC98.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):184240
                                                                                                                  Entropy (8bit):5.876033362692288
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                  MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                  SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                  SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                  SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSICC98.tmp-\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):711952
                                                                                                                  Entropy (8bit):5.96669864901384
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                  MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                  SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                  SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                  SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Windows\Installer\MSICC98.tmp-\System.Management.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):61448
                                                                                                                  Entropy (8bit):6.332072334718381
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                  MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                  SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                  SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                  SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                  C:\Windows\Installer\MSICE7D.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):437361
                                                                                                                  Entropy (8bit):6.648165280383273
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:ft3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Ksx:lzOE2Z34KGzOE2Z34Km
                                                                                                                  MD5:B2C4E3BFA39BF23A03EFCE39BCDD0BFF
                                                                                                                  SHA1:9FE8C26D081AA7ADBF9F3D8978B184301A25A518
                                                                                                                  SHA-256:8787C3E0AFBDD8D79EE8216D0A43540AB46C0112863A80B1A694A47241ABA807
                                                                                                                  SHA-512:733C77E106C94B4B9E261F8AA886C6284456840B1007C7793C088C582DD995A1B0EB1E21390847B33CDAAE6242A5673654AAFE6156A557DF322ABA511038584D
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSICE7D.tmp, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:...@IXOS.@.....@.Z%Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent8.SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<.............

                                                                                                                  C:\Windows\Installer\MSICE8E.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):216496
                                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSICEDD.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):216496
                                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSICFD8.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):216496
                                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSID66F.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):436008
                                                                                                                  Entropy (8bit):6.651561755066026
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:St3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Kse:6zOE2Z34KGzOE2Z34K5
                                                                                                                  MD5:BC54EF5F6A91BE6496D9448F0C61F06F
                                                                                                                  SHA1:C71462FDE1AE3D3C008065B354FE193327615AC5
                                                                                                                  SHA-256:BF552E2ADE98F393498A59A585E2B6FC7FFBFA1CC2AE25FEE614FB44F2C2FBF4
                                                                                                                  SHA-512:FD6EAD522B0A00CDFBF798185FCDCFA2A253BE343DA9150464DD38C033ECD7DCA44D87876DACA2C5695F734A6DA6FC9A4E58C23BF12FF00857A02311B9D40935
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSID66F.tmp, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:...@IXOS.@.....@.[%Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent8.SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}....&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}c.&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}............StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P.......................................

                                                                                                                  C:\Windows\Installer\MSID78A.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):216496
                                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSID8D3.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):216496
                                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSID941.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):216496
                                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSIE45B.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):521954
                                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSIE45B.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):25600
                                                                                                                  Entropy (8bit):5.009968638752024
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                  MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                  SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                  SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                  SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIE45B.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                  C:\Windows\Installer\MSIE45B.tmp-\CustomAction.config

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1538
                                                                                                                  Entropy (8bit):4.735670966653348
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                  MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                  SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                  SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                  SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                  C:\Windows\Installer\MSIE45B.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):184240
                                                                                                                  Entropy (8bit):5.876033362692288
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                  MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                  SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                  SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                  SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSIE45B.tmp-\Newtonsoft.Json.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):711952
                                                                                                                  Entropy (8bit):5.96669864901384
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                  MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                  SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                  SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                  SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                  C:\Windows\Installer\MSIE45B.tmp-\System.Management.dll

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):61448
                                                                                                                  Entropy (8bit):6.332072334718381
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                  MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                  SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                  SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                  SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                  C:\Windows\Installer\MSIF074.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):437217
                                                                                                                  Entropy (8bit):6.64783503777502
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:+t3jOZy2KsGU6a4Kspt3jOZy2KsGU6a4KsT:ezOE2Z34K+zOE2Z34Km
                                                                                                                  MD5:31D935F74FE49FC7C91FAA93718E9508
                                                                                                                  SHA1:C90F234E017F24E1399FD2869EB74E83AD0F3AE9
                                                                                                                  SHA-256:E77D3EF6CC47806E83AA4D18E0CB32C17B97EDC28C7AD1D5D047218D82556673
                                                                                                                  SHA-512:8A18F78019C1646974963EE354288295B3D5C9BF4B50CF76636EB7E6BD640AD3F32BBB4C960B2043AC851FFE93EB1F94D2BF8EAE6743C2C5FC4053905BD081F0
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIF074.tmp, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:...@IXOS.@.....@.[%Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[....

                                                                                                                  C:\Windows\Installer\MSIF075.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):216496
                                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSIF112.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):216496
                                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSIF171.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):216496
                                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\MSIF922.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):521954
                                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                  Malicious:true
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):20480
                                                                                                                  Entropy (8bit):1.1712578983767028
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:JSbX72FjiXiAGiLIlHVRpIh/7777777777777777777777777vDHFzTPrfWrl0i5:J8SQI5wBTr/F
                                                                                                                  MD5:368989D32D78E51C14195D0952581E7A
                                                                                                                  SHA1:2007912F48BB65F52BC96F521901227D1D228C6F
                                                                                                                  SHA-256:A8A4788BE2F8089FEFF5FDC8E5EC20998542B57C9981C62D6933DE7E252C4F89
                                                                                                                  SHA-512:09F1B9F43AA6F4BEA89755AC2EEA27DE80C22EADCD12799E5CF3B1365C9CB1CD9DA5A328227777D76BA1D73EC5CCD9EE406FBB77F7A2B631DD765821DCA461D6
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):20480
                                                                                                                  Entropy (8bit):1.1913705198579838
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:JSbX72Fj4sXAlfLIlHmRpjh+7777777777777777777777777ZDHFZJxkLSvCjkV:JpUIYibJxkLSvCI8F
                                                                                                                  MD5:8255D1FCCAFE2B00096798779A989D15
                                                                                                                  SHA1:CE865C23DE14180CDA13D45ED3811226AD47A547
                                                                                                                  SHA-256:68C658F7431693268DACD7DEC1C0C4330A94E409719C373D12720415B7C30DE2
                                                                                                                  SHA-512:8DE8FF7B7CDE348986B7536AEB3DF1FB590F21C6F4E70A645EE57B3C0546FD4EF2E76F9A85179D56C87E64239832AF2CFE74F7557B1611F87BA6790BB57C1441
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):20480
                                                                                                                  Entropy (8bit):1.6188276798828047
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:G8PhPuRc06WXJEjT5gDfqISoedvPdvbCnuhnq9BnKYdStedvPdvxubS:ZhP1HjTeDSIciuBuhKG4
                                                                                                                  MD5:E19140D7252597256F99FE91881EAFF4
                                                                                                                  SHA1:B1D31EF2F45462E673F1498AFBCF702E62B40FB0
                                                                                                                  SHA-256:37E41200AA2745E731E0EDEB1847B845DBA0BC3166A1DD6D83C6116BBCAF0F2D
                                                                                                                  SHA-512:E963295BF2BECD01C2701A08465187BA920C9A1576F880F714B3E5C83940B165FAEC2CF2E31166E18F4A5264FD8FB88C677C84AAA3C2A2C3F015C3C3C7724F06
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):364484
                                                                                                                  Entropy (8bit):5.365491117118091
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauf:zTtbmkExhMJCIpE8
                                                                                                                  MD5:C8AE5507A6AD00A03D639C8A508049FE
                                                                                                                  SHA1:2CF66EAAD38A0324AC5A584D6B7DFBB7ED5392B1
                                                                                                                  SHA-256:C77F521AB3865CC088F1DE06DC9EC2DD33DD3269DC11A9F9F818583EED939323
                                                                                                                  SHA-512:53FA6B858E2EAA4E58B9D46FB3764409AE67543C4E30FDCE14909DFF2414C0928A2517275D3DC63DF75C4DA6313466D46CBE094D5FECF44B6BE5ACD66AC184E9
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  File Type:CSV text
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):651
                                                                                                                  Entropy (8bit):5.343677015075984
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                  MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                  SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                  SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                  SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                  C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):704
                                                                                                                  Entropy (8bit):4.805280550692434
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                  MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                  SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                  SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                  SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):471
                                                                                                                  Entropy (8bit):7.191010062036378
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:JyYOHLt5GLsHHZGpCcu5j7HhRs3DFVjuq3WWOJ2ez2dn:JROHLtILsnZzlRs3RERzAr
                                                                                                                  MD5:20069500756A1A645A477C9E9D57E4D0
                                                                                                                  SHA1:7D5D14A9FEEC763954A936318F1D9890B728622A
                                                                                                                  SHA-256:0B9C59CBDAC33DA5E2B39A0BE1BF9D5861E0188C0442CF300FCDC70CBF9A3CB7
                                                                                                                  SHA-512:29EE4033C4552DDE83F70D5038593EFB9EB5F1AFD19EDBF003D3996F0615552189F9F9D08AD36628A0DA1E82A10EFC82233F543A0BC4D622923632228854F91A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20240904165849Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20240904165849Z....20240911165849Z0...*.H...................q.P.....v..GIH..26o|.....+...}.......(...3......d.Dn@..!.s.u...b...Z..3.......W....gx..*2.!%.y...j3.M..z.i.|=.3.a0z.......b..-.R...P..].W.7.d>..E..^c......v.........^..I.&.P..5..>..o......$....D"<...$.W.W<w..C.JR.t..R.F...f. ..]v..R...~-;K

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):727
                                                                                                                  Entropy (8bit):7.600077064643396
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:5o6Tq9wOV5h44TUqyhqyGuTB4w5UKeIo35qlyR+ySJ0hPcT92eJugrGP+srpF:5HOVoqyBzBdeIo388i0NkugrGmsrpF
                                                                                                                  MD5:C904EEA4067FC0E99C77ABE28C6CFABA
                                                                                                                  SHA1:5E0FB2B735D49E7820CD5E1DE57A2DF9637AC702
                                                                                                                  SHA-256:1DC7C8A44818D301ECC721EDDB941F02CF90BE6F1F9AB6695E2555C0C5D5A593
                                                                                                                  SHA-512:4F4D7454C20FC0D71A645AE30555945F549CEC48F860F3C07EE26B6778615D48B9C2B4F9FF850D423DCF3814DA7F5045D8C3DE9B50C65DA9B5D9DF9DD82EB512
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20240904203654Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20240904202102Z....20240911192102Z0...*.H.............[8.....I.F51>.N...].V....H...?H|......k.-.W..........jE:...-.....4.q..n.;e.2.R.l....t. 7n....m8....V..u.I.".a....XJ.g.aXh&M.f.r.\.m|..w.T...._......`.[...%\.M-..=-.t}.2r...P.]I._....."...e.|y..~.}.U..7\....t;.y{..W...[..X..D.a..,p.`..>>..=.g...Z....hd.=..(..b.Gz._|.u..!8.......aqK...H*Y...@.....^.......:.^..s^fv._...D...M.\i8..cy2K.A....b...6X....L%.....0.o6.H.4.N...Ta"..?..._Z..Sy........+l...5..E..fB4... ...e.Q.}...Q......4p..Y. .#..}..sO._l..rk._;..o..l..d[.#.|s.-.]Xc.........+g.;..o

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Certificate, Version=3
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1716
                                                                                                                  Entropy (8bit):7.596259519827648
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                  MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                  SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                  SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                  SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):727
                                                                                                                  Entropy (8bit):7.5942481881433865
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:5onfZHDc5RlRtBfQtDMTsxVgTZdHqnDFv1XZMl8VK395kkdqFKOjSxxiu9EyjwL5:5ipDcdZsDMT8gTZdH21pMlxN5kOoBSxw
                                                                                                                  MD5:774D3AA92B12172225257EA4C5C95EEE
                                                                                                                  SHA1:770939EE446F51845370AFD2B75193746DCA5E73
                                                                                                                  SHA-256:F812308ABD1EBA4984EDCB716A18D0CBB0FFC82403A2724E9B449137F5228977
                                                                                                                  SHA-512:1E3B7622839DC8E0F309AAA190E56DB237A86600E758F995817B716921879176E64EC9253E3BF154631D5FB7F49D84DB22B5EA675B37D2CB645D83468335F62F
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20240903184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20240903184215Z....20240910184215Z0...*.H...............l{b`.S...4..d.|.}.'....]...OS..H.m.[.$.......z..P..p.0............M[.}o._..c.f...(.......{h...F.....d.n.....J.sE..T&..D....e.VwU..=9..?.....T....Is./.~z..~.KZ...... g...f.J. ..-..{.lt..w.J.%Q.........+z.....{..s..W.F...........`J...!^m..a..?}..:..OyB'XK.|.b16.....I....t.........{......5'.....`.M..5R......^.Hs9f...Q.h..b1.N. ..p..;L...|.|)..z..*...#K..zv.I.L(....&.Q..dt.#....9?.....r.YX.(.z..Vd>.bq..v{..S....[...3@..5..SB}.G...F<.|Y.-.Vc..]B.........=...x..x...k7...8..f..pfN

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:Certificate, Version=3
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1428
                                                                                                                  Entropy (8bit):7.688784034406474
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                  MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                  SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                  SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                  SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):338
                                                                                                                  Entropy (8bit):3.4631932394955873
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:kKkx83yJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:8xCxkPlE99SCQl2DUevat
                                                                                                                  MD5:9CB258AAD9BEABD83775054F5427571C
                                                                                                                  SHA1:E2752B84797BA09E6D20AD2A95BC234FB38A116C
                                                                                                                  SHA-256:7FC592AAE1969ECFF20D34E1D0D7B56CE49F35634FCF7B5811392D7D7C394840
                                                                                                                  SHA-512:E5364C5A197CCA45B0F5A1DA35DBCB9E848243C38E8EF83A800C28BF71300B7FDBB3642586C9F84C1416F51BB9AEE4D9D3BA782DEA03BEE70A2841EF89C089C7
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:p...... ........jG......(.................................................L#... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):400
                                                                                                                  Entropy (8bit):4.040140230832649
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:kKZBzyk3nXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:RBVmxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                                  MD5:A52EFE59A40A72AB1AD1379080F0AB91
                                                                                                                  SHA1:BEB361324B9EC85C893DDEBFEB0F26E3763B4356
                                                                                                                  SHA-256:BC9DF1F67F8596D4AD0AF9F941835DCF6F4ABA9BFF6342E573AE43E69681DACC
                                                                                                                  SHA-512:3FAB276D9E9F6E0234F6C8662B7FF4C93B52DBF5F89D59DF0FF8A7D3E441C216B2202A91FAF961B633C2A509BBA90378AA222379BB246E15B4AC01F31B44D275
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:p...... ...............(................*K......j/.k....................j/.k... .........m.... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):404
                                                                                                                  Entropy (8bit):3.9553913650834787
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:kK3mMBTavIfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+KscSikKY3:7TrmxMiv8sF3HtllJZIvOP205scn8
                                                                                                                  MD5:C33D19B4CF7B48B1125D22189F6C335F
                                                                                                                  SHA1:7EEF59D306FD29AEFF6C5A08151062C0FE382C17
                                                                                                                  SHA-256:52D3EFD1FDA7F287EED4441B95D7CEB2B1057BBE648FADA10C9C1AD1BA3FE254
                                                                                                                  SHA-512:17B8FCDB057D7A49623C7E94F8B85E12F825E15A7270DE33F45264A00E6951A14A1F7D1B70B7E5F482E54AFFD57085A868FC68FC7735D755B3F3F727378649DD
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:p...... .... ....'......(................. .......?.......................?..... .........s.... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):308
                                                                                                                  Entropy (8bit):3.2155953741951353
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:kKjtAzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:LdtWOxSW0P3PeXJUZY
                                                                                                                  MD5:CCBC61B3EAA98EBAC2BE462DCD4EF53F
                                                                                                                  SHA1:948565DA66A3E9ABCA5D74C20426EF2D749C3688
                                                                                                                  SHA-256:D2A9D8AFA773A67C2568F4FFF89E7A9C5A076E7AA36954B047BC007C571E4246
                                                                                                                  SHA-512:50B24283F2C24BDAEA4C3F014354EFB45AB5F0E5CCBB907DCEEAD9A7034EB12BC645431CFBF7A51ACBC34AB0E1058149C93B42394DB69B3145F614D4AA12F13B
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:p...... .........h.....(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):412
                                                                                                                  Entropy (8bit):4.01190406679181
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:kKsYxEL9ZiCvOfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:lx8OmxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                  MD5:475915E543F39BF55BB695C0879A212E
                                                                                                                  SHA1:6EC3510D5F9D69F7F7CA5CCD5E78DEE2056E25C1
                                                                                                                  SHA-256:3152AB1AF602219D1BA8035E3F188FEC21AA1C745DA29AC2E16FFBE2BBCFFCD1
                                                                                                                  SHA-512:9172D8D984313C5A25B8F3DEB4D593609819B8F672780F134C15C95154827D0B203291308A9C3ACB044AAC06EAA97F36ADC3AB7796D970DD866BCB65533057D0
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:p...... ....(...o......(...................0......'.......................'.... ........;..... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):254
                                                                                                                  Entropy (8bit):3.068646898467291
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:kK42gLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:HgLYS4tWOxSW0PAMsZp
                                                                                                                  MD5:8600C724ECD13880F923FB051347EC54
                                                                                                                  SHA1:A9A0CBC599C10B625468D8F2BC728CD93FC8E968
                                                                                                                  SHA-256:A4D22EFCE7A60801C5A6CFAC928E302C42313E61CAC9A3DA79F5C8E317AB5E1C
                                                                                                                  SHA-512:18C1CFE5833DF44B1FF257A8181D547BE54BDC589E3AA2CDEAB2B74067C9D66ED1E0A9F6FB2E85C89335926C6FD9155B8CE52C73B5FC6F33327F39F8209F1600
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:p...... ....l...........(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                  File Type:CSV text
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1944
                                                                                                                  Entropy (8bit):5.343420056309075
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                  MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                  SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                  SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                  SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
                                                                                                                  File Type:CSV text
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1795
                                                                                                                  Entropy (8bit):5.353901281631376
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:MxHKQwYHKGSI6owHptHTHhAHKKk+HKlT44HKmHKe6SHj:iqbYqGSI6owJtzHeqKk+qZ44qmq1SD
                                                                                                                  MD5:B755B91A4B1975EEECAAD18CEC1DF3E3
                                                                                                                  SHA1:F286D733AF1945DFAD663A86D727786772EADB44
                                                                                                                  SHA-256:E85903F93B42B19B0BDD924D2B226C85AC81B0ADD69575FC4BEBDA80ACE604C8
                                                                                                                  SHA-512:8657703D5CB7D5D116FDD01E4D948B9B22EBFC82DFF103335C9BFB1C03E797744AA0388583385B07902188ACF1E558F81399B7627AD54291E6007358BFE83CBD
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4b68470ad08185826d827aa6e7875b6\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.X

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1983
                                                                                                                  Entropy (8bit):5.345248756179348
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKksHVsHT6HNHOHKCHKlT40HKe60:iqbYqGSI6oPtzHeqKks1sz6tuqCqZ40T
                                                                                                                  MD5:F974F0FCD981AC0581C5498C0155EF91
                                                                                                                  SHA1:0CF6D5F41937B296EF9D37FC90E56EC8458B96DF
                                                                                                                  SHA-256:500B63AEC50B89EF4CEC9ED49E53D168CDC35D235CB416B84234D3E45F3AC365
                                                                                                                  SHA-512:1484917CC2A8E88DD4010FEE60394BD974D5C44ED0482DAD64B06A319E1F7E414321B8BDB06C6DE70152CFEA887BBDEFD2F2689C077251E8D2BBC9448FBF8719
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runtime\2702

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):3043
                                                                                                                  Entropy (8bit):5.361093730986187
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HVsHUHhHKe6PfHKWA1eXrHKlT4d6HNHGHPmHKm:iqbYqGSI6oPtzHeqKk91s0Bq13qhA7qp
                                                                                                                  MD5:7FBB3BC293626F02EEE5D12A2FC44FE7
                                                                                                                  SHA1:A736DE9B60CEC25864AE995EF046F3F317B5D1AC
                                                                                                                  SHA-256:B6ED7FB8E1D3A5AB9858099700CDA16766D6F442587CD6F965815CF8AFC1444D
                                                                                                                  SHA-512:C175AF1525508EEA8DEAE8BE67E4780922492B3D01ACDB36B43220DE5B57898F10558F80C5D6218B61A236D35C41047527C6AD00770F477E23507AAEA7EF2000
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                  File Type:CSV text
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):1722
                                                                                                                  Entropy (8bit):5.366509527070196
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkCHKe6PfHKWA1eXrHKlT4fHi:iqbYqGSI6oPtzHeqKkCq13qhA7qZ4fC
                                                                                                                  MD5:12EDC7C8880BE159C159CCB8144A5011
                                                                                                                  SHA1:CB75973C194B8131E0BBAFEC417E13F040DEEC42
                                                                                                                  SHA-256:96935DE33B56EC976A012F6B2D00E39E66CF18735D5A65FBD849CFA0648C8A22
                                                                                                                  SHA-512:C11A8DD3774B5FB0E6D9326759D039203C23B657F47F17AC1920C425F54E4B0FA44AE93ED87302603E330F75EA359E7969B7CBFEEC0DC432F88DA5551CA7D1B5
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\545a9409c1

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1968
                                                                                                                  Entropy (8bit):5.358970550932517
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHxLHqHvHl3HKlT44HKmHKe60:iqbYqGSI6oPtzHeqKktRLKPJqZ44qmqW
                                                                                                                  MD5:127E8EC0D285A5FE3BBBDF1356CCDA71
                                                                                                                  SHA1:C7DA4465A42E04A9AD4B914E59834166C37B9DA0
                                                                                                                  SHA-256:B094760E40845C308F474171B839A5EC85B309988A435A902F0CE530DAFF9E62
                                                                                                                  SHA-512:26B6E475C5F49F82F97EAD731E7D61E07E3DACDF5D88D38362708F185D63BBA0E5A0DB420CE1D6F9402B04E1BBA3338659639F963977807F79E277B5B13F3358
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKe

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                  File Type:CSV text
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1499
                                                                                                                  Entropy (8bit):5.341844552740347
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUN+E4KlOU4mHE4KXWE4Ke60:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT4A
                                                                                                                  MD5:1F102800C2B4B52354570886D784EA54
                                                                                                                  SHA1:B84148B4A84AF5669134EB9EC27904A05E2517D2
                                                                                                                  SHA-256:8367F22954F447B469ED78A27028539219651BEB79AFF371045A3347E99B906A
                                                                                                                  SHA-512:AE4C42696AC5C7F532820D0B5D2412FEAEE4641884B189559C25989E013E09D799C10C98DDC6813D9F7C76A475C34DF8A48BAFC2F5D17708CF5440F931D1CE0A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                  File Type:CSV text
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):1075
                                                                                                                  Entropy (8bit):5.353521172341231
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNa8mE4Dp689:MxHKQwYHKGSI6oPtHTHhAHKKka8mHDpN
                                                                                                                  MD5:BDADAD127D5A6079C29C0C870A5C3C2C
                                                                                                                  SHA1:AD5D30886AE959F271CF777D386A31CD792C9A64
                                                                                                                  SHA-256:7186B9EAC66BD83E5E1C050D81529BC68511538118E65019EBECFD952C22FD55
                                                                                                                  SHA-512:198087F52C39A32ACE7A90E9212C2AA0F31EDF8349773C8C6C5495CA82C890F9A8A44356AC5AEBB42F3342E6BE981DC4BCFE1D7FB43760745D7240A117257725
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv7

                                                                                                                  C:\Windows\Temp\AteraSetupLog.txt

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):227654
                                                                                                                  Entropy (8bit):3.7728909018380774
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:aifzEIeEPgIbxz/oBp8UE7o3OjUCQhgVjY/dhZfCm4vdZmOB/3vlX6+25zkviHUG:tAkjSUc4jmjlUHnOjGggx0t3
                                                                                                                  MD5:BE02D2E4F987B0747F1AD84A85F9982E
                                                                                                                  SHA1:021D9200B25E94591337ED12290592B1CA39F2E1
                                                                                                                  SHA-256:C1694F38B216C65776AE7DA45E2705D0541F77DE560FB56C9E8CF4AFEC42FAB1
                                                                                                                  SHA-512:A6025C0BDEC110347BCBED27DC8A0941F8D7BECA6B70993639EFFDFACBD5A77934C93E11154A62C324855DB05C3D2B5D70B5C9F6D532600A76A1159C59178108
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\AteraSetupLog.txt, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.5./.0.9./.2.0.2.4. . .1.1.:.2.4.:.0.7. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.8.C.:.1.C.). .[.1.1.:.2.4.:.0.7.:.2.8.4.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.8.C.:.1.C.). .[.1.1.:.2.4.:.0.7.:.2.8.4.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.8.C.:.1.C.). .[.1.1.:.2.4.:.0.7.:.2.8.4.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.a.t.e.r.a.A.g.e.n.t.S.e.t.u.p.6.4._.1._.8._.7._.2...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.8.C.:.1.C.). .[.1.1.:.2.4.:.

                                                                                                                  C:\Windows\Temp\ateraAgentSetup64_1_8_7_2.msi

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2994176
                                                                                                                  Entropy (8bit):7.878630966889847
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                  MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                  SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                  SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                  SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF00F0C3246A438DDE.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32768
                                                                                                                  Entropy (8bit):1.2644926294420604
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:pRwu+I+xFX4zT5yHxb25wBMlYYqISoedGPdGfYrM6StedGPdGRubxn:Tw5wTxHl6IC6o1
                                                                                                                  MD5:49663E6993D564D56B1A4E7B1BC955FA
                                                                                                                  SHA1:7AB8D6C4F9BAF540F194601829043A269D882F16
                                                                                                                  SHA-256:77B49B019E18ADF3EB1B9B699829BF6547EE4212C9587D452BAE8BF823BBFC81
                                                                                                                  SHA-512:47C91D482DA39AEBBE1E095DB0C89273D7BF4C88009B250946E72B951187A99441106399AACA513173790A604866B6BD8B530C50570E1497644F6A567B7B11EB
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF00F0C3246A438DDE.TMP, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF00F0C3246A438DDE.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF0E46AA4143BA933B.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):69632
                                                                                                                  Entropy (8bit):0.1630356246907644
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:TEubmStedvPdv+qISoedvPdvbCnuhnq9BnKYuP:hybIciuBuhKjP
                                                                                                                  MD5:45EC0F56145C24EF3DB5CF19F16C24B9
                                                                                                                  SHA1:8D6066ABC7F82F616B486FF32E470F52918D9CDD
                                                                                                                  SHA-256:EDCA9D6B58DDB710C7C84F9E80248CA3CC2E6BE89BD2ECE7C5EB46BF7CB7BED0
                                                                                                                  SHA-512:4E3712399676C98F8973AF29A3933D7D8D401E60504E9BFCFA1160A9D57CFFAA6E65787206C666B4413B2989A31B637E27DD6D2B332509F0BA14C21A9BC1EB44
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0E46AA4143BA933B.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF0F9FD786243C9C18.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32768
                                                                                                                  Entropy (8bit):0.077966497703753
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO1LtCmOuPrfkiVky6l51:2F0i8n0itFzDHFzTPrfWr
                                                                                                                  MD5:785EA75A2FB1DB6D9155B28A1291DAF3
                                                                                                                  SHA1:6B86F7E077D0A8823383FBB776313FEDB17BFDEA
                                                                                                                  SHA-256:BCD727E77C067BD5A31C13E8024F00ED60381D9AB725CAE2E6777A5708C9DDE0
                                                                                                                  SHA-512:1834BBF627951711C96708EE7AA4B6C069055E832C717561DC77592E68EFB93E65FE825A5D3D13859057C93BE96CC12701D725491C4CFC49A4EE4FD40942E72A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF1D0CE01D4664A454.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3::
                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF23C39B378EC4AF4F.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32768
                                                                                                                  Entropy (8bit):1.220340622209413
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:LW8PhcuRc06WXJEjT5QDEqISoedGPdGTnaStedGPdGTn:Nhc1HjTODBIfD
                                                                                                                  MD5:676C065813EC566D66FD0AE05C74684F
                                                                                                                  SHA1:E487415860245818A6EE3608B97A400B001E0F0E
                                                                                                                  SHA-256:D2980951BCF352E8A1C0F998EF12B3B36C4F8B6EEE61719F6855FE96C3179BA3
                                                                                                                  SHA-512:4DF48DBAD0081088EC76D6DC3C6497C8CD4237E30C1428BF5B33D094BD8A93879E42D838E90EF45D498D8E46C118692154310CEC0222755017ACFF39E99A252D
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF23C39B378EC4AF4F.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF3799968C382D1BD4.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):20480
                                                                                                                  Entropy (8bit):1.5812161168453054
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:N8Ph4uRc06WX4iFT5KHxb25wBMlYYqISoedGPdGfYrM6StedGPdGRubxn:wh41yFTpHl6IC6o1
                                                                                                                  MD5:7775C02A088AF06C754D9B67D0000DC5
                                                                                                                  SHA1:AA85691F71E0131F327C00BA36A6A72483BDBEA1
                                                                                                                  SHA-256:F6841494112FD52E3D0D98BAF555F6F13BBD05E5053DFF33F58AB6C2AE15EDFD
                                                                                                                  SHA-512:24474E8BCEE4573CBBA76E61259A2921D7570ACAE58BD690C8D5F7EB4EA059A0D80C8B06DCC7CDC64A07907F529E7567827A80480D4F825DECC7C48900BCB57E
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF3799968C382D1BD4.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF3AAFC0F07D8F9052.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3::
                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF419CAFE4B9E9973D.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32768
                                                                                                                  Entropy (8bit):1.2296278086196577
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:DVUuKJveFXJfT5MDEqISoedGPdGTnaStedGPdGTn:JU4HTKDBIfD
                                                                                                                  MD5:62C5DC40CD15EA825209F325828BE984
                                                                                                                  SHA1:F723C4B79EEA6E29DBAC37681AA854C2E62E57A2
                                                                                                                  SHA-256:09D03B170DBDE23FE2CFFF8A38E4D5F67F96789697F4A63D2C9C0C96739436B8
                                                                                                                  SHA-512:4BA34943D57592D2EB1D1D3AD72A10E84E582CEDDC6B5243EAE4D2CD9CC32385FC89C9906B5E4907A1A0FD77A6C41441CEDCF284679FFB85087AAE07D74193BC
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF419CAFE4B9E9973D.TMP, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF419CAFE4B9E9973D.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF4409AD3150C12794.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3::
                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF470C5EE7DBD4753F.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3::
                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF48243D498F4590B8.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32768
                                                                                                                  Entropy (8bit):1.2644926294420604
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:pRwu+I+xFX4zT5yHxb25wBMlYYqISoedGPdGfYrM6StedGPdGRubxn:Tw5wTxHl6IC6o1
                                                                                                                  MD5:49663E6993D564D56B1A4E7B1BC955FA
                                                                                                                  SHA1:7AB8D6C4F9BAF540F194601829043A269D882F16
                                                                                                                  SHA-256:77B49B019E18ADF3EB1B9B699829BF6547EE4212C9587D452BAE8BF823BBFC81
                                                                                                                  SHA-512:47C91D482DA39AEBBE1E095DB0C89273D7BF4C88009B250946E72B951187A99441106399AACA513173790A604866B6BD8B530C50570E1497644F6A567B7B11EB
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF48243D498F4590B8.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF4DE34DAD7D3601C7.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):69632
                                                                                                                  Entropy (8bit):0.1494417689210332
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:CnhubmStedGPdGeqISoedGPdGfYrMEQvHxb25wBM:iIyLICDAH
                                                                                                                  MD5:894CC79DEB0066BEC4AA62987192E779
                                                                                                                  SHA1:74664B5B6ABDFD30D6CE064C348316AECCFF73D3
                                                                                                                  SHA-256:E716A0A3B5A439A6A04EBB95DEB6B809D91070892C6EA990556394F6D51A27D7
                                                                                                                  SHA-512:2055EA6F5EC461CCEA27818D05E89949BEE4E4E2D43F5106A3BF274B63F09393449AD5099FFF7C3F1A985059670B36E24DA165B1CFEE7E3E4D79C2ED7E8143F0
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF4DE34DAD7D3601C7.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF5D87B6D39AAF8301.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3::
                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF5E319E7646B18B95.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32768
                                                                                                                  Entropy (8bit):1.2644926294420604
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:pRwu+I+xFX4zT5yHxb25wBMlYYqISoedGPdGfYrM6StedGPdGRubxn:Tw5wTxHl6IC6o1
                                                                                                                  MD5:49663E6993D564D56B1A4E7B1BC955FA
                                                                                                                  SHA1:7AB8D6C4F9BAF540F194601829043A269D882F16
                                                                                                                  SHA-256:77B49B019E18ADF3EB1B9B699829BF6547EE4212C9587D452BAE8BF823BBFC81
                                                                                                                  SHA-512:47C91D482DA39AEBBE1E095DB0C89273D7BF4C88009B250946E72B951187A99441106399AACA513173790A604866B6BD8B530C50570E1497644F6A567B7B11EB
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF5E319E7646B18B95.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF74F83C772D9EF2A1.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32768
                                                                                                                  Entropy (8bit):0.0889250031392316
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO4mJ+cXkLG/PnkoVky6lkt/:2F0i8n0itFzDHFZJxkLSOk1
                                                                                                                  MD5:BA7A423248ABE3A7D59A1597709907BA
                                                                                                                  SHA1:FDBA7368A29115B98234165602F536705362615E
                                                                                                                  SHA-256:4A52FD2F7355C0D562D6AC1A22E846E6D80C6EDF34B1F16DC3BE9B14103B34D2
                                                                                                                  SHA-512:D538550089EA01B6DF2AAB50F492B5F0016CAACC4882533D58DC2C72B9BC265C8908CA1C0ABB2E560E17A866F5AFCFD4A20C6CE75BC825EEC3087D0308716705
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF766EA6E4B5F83B09.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32768
                                                                                                                  Entropy (8bit):1.2296278086196577
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:DVUuKJveFXJfT5MDEqISoedGPdGTnaStedGPdGTn:JU4HTKDBIfD
                                                                                                                  MD5:62C5DC40CD15EA825209F325828BE984
                                                                                                                  SHA1:F723C4B79EEA6E29DBAC37681AA854C2E62E57A2
                                                                                                                  SHA-256:09D03B170DBDE23FE2CFFF8A38E4D5F67F96789697F4A63D2C9C0C96739436B8
                                                                                                                  SHA-512:4BA34943D57592D2EB1D1D3AD72A10E84E582CEDDC6B5243EAE4D2CD9CC32385FC89C9906B5E4907A1A0FD77A6C41441CEDCF284679FFB85087AAE07D74193BC
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF766EA6E4B5F83B09.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF79B2B09E51C8EC76.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3::
                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF7B02E8DFB5FE3CEF.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3::
                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF8A6FBF03A69392B1.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3::
                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DF93CF73A321659BF9.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32768
                                                                                                                  Entropy (8bit):1.220340622209413
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:LW8PhcuRc06WXJEjT5QDEqISoedGPdGTnaStedGPdGTn:Nhc1HjTODBIfD
                                                                                                                  MD5:676C065813EC566D66FD0AE05C74684F
                                                                                                                  SHA1:E487415860245818A6EE3608B97A400B001E0F0E
                                                                                                                  SHA-256:D2980951BCF352E8A1C0F998EF12B3B36C4F8B6EEE61719F6855FE96C3179BA3
                                                                                                                  SHA-512:4DF48DBAD0081088EC76D6DC3C6497C8CD4237E30C1428BF5B33D094BD8A93879E42D838E90EF45D498D8E46C118692154310CEC0222755017ACFF39E99A252D
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF93CF73A321659BF9.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DFA6F2197A26D11303.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3::
                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DFAB8C01D75D048A21.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):69632
                                                                                                                  Entropy (8bit):0.13015431521622298
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:24:CnAipVfedGSadGS7qIipVGedGSadGSfEqasJGOWTZkv+D+no:CnAStedGPdGeqISoedGPdGTnu8
                                                                                                                  MD5:3B8E469E9FC20B27716522E2F144F870
                                                                                                                  SHA1:0FAE3EDD691A658B72878DB0F5E59705E5FE5E33
                                                                                                                  SHA-256:54269A20D88E568D96B5A3A8846FF1B435074272FE7377B120C195C712E6CB71
                                                                                                                  SHA-512:FBF605E1956A07774B1179054BC3E13166E22683063027D85D2E3E13370E4F0D10076E9B47FCFA32BA7E28129EDFFABBD6D6F5508DB910369AF7E96FE4BAE3DD
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFAB8C01D75D048A21.TMP, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFAB8C01D75D048A21.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DFB40092767CAD3D25.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):49152
                                                                                                                  Entropy (8bit):1.000171095773316
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:4MMXukJveFXJfT5p2DfqISoedvPdvbCnuhnq9BnKYdStedvPdvxubS:QXaHTn2DSIciuBuhKG4
                                                                                                                  MD5:075C02E9EAFB9E054B6DFCBC20E08548
                                                                                                                  SHA1:D30E465EEA3A7D9D1A83AE552C3B0001C3179655
                                                                                                                  SHA-256:4C8F3208094672268D09926DC8B4983B49B5D33D16A1AF747A2717DC4D1F213B
                                                                                                                  SHA-512:FB3743282D9815A69100B2B3804880167A38BB7C3A7E6B01717D4D347D7F4C27F914A0C4497A75017C6D2F5562F4923DF28A519E8B94D622982F432F80419D72
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB40092767CAD3D25.TMP, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB40092767CAD3D25.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DFB620A0199B5C5F87.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):20480
                                                                                                                  Entropy (8bit):1.6188276798828047
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:G8PhPuRc06WXJEjT5gDfqISoedvPdvbCnuhnq9BnKYdStedvPdvxubS:ZhP1HjTeDSIciuBuhKG4
                                                                                                                  MD5:E19140D7252597256F99FE91881EAFF4
                                                                                                                  SHA1:B1D31EF2F45462E673F1498AFBCF702E62B40FB0
                                                                                                                  SHA-256:37E41200AA2745E731E0EDEB1847B845DBA0BC3166A1DD6D83C6116BBCAF0F2D
                                                                                                                  SHA-512:E963295BF2BECD01C2701A08465187BA920C9A1576F880F714B3E5C83940B165FAEC2CF2E31166E18F4A5264FD8FB88C677C84AAA3C2A2C3F015C3C3C7724F06
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB620A0199B5C5F87.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DFBF46613FB0EC149F.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):32768
                                                                                                                  Entropy (8bit):1.2296278086196577
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:DVUuKJveFXJfT5MDEqISoedGPdGTnaStedGPdGTn:JU4HTKDBIfD
                                                                                                                  MD5:62C5DC40CD15EA825209F325828BE984
                                                                                                                  SHA1:F723C4B79EEA6E29DBAC37681AA854C2E62E57A2
                                                                                                                  SHA-256:09D03B170DBDE23FE2CFFF8A38E4D5F67F96789697F4A63D2C9C0C96739436B8
                                                                                                                  SHA-512:4BA34943D57592D2EB1D1D3AD72A10E84E582CEDDC6B5243EAE4D2CD9CC32385FC89C9906B5E4907A1A0FD77A6C41441CEDCF284679FFB85087AAE07D74193BC
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFBF46613FB0EC149F.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DFCDEC38BF67C68DFC.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3::
                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DFCE3F0DE558344BD6.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):20480
                                                                                                                  Entropy (8bit):1.5812161168453054
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:N8Ph4uRc06WX4iFT5KHxb25wBMlYYqISoedGPdGfYrM6StedGPdGRubxn:wh41yFTpHl6IC6o1
                                                                                                                  MD5:7775C02A088AF06C754D9B67D0000DC5
                                                                                                                  SHA1:AA85691F71E0131F327C00BA36A6A72483BDBEA1
                                                                                                                  SHA-256:F6841494112FD52E3D0D98BAF555F6F13BBD05E5053DFF33F58AB6C2AE15EDFD
                                                                                                                  SHA-512:24474E8BCEE4573CBBA76E61259A2921D7570ACAE58BD690C8D5F7EB4EA059A0D80C8B06DCC7CDC64A07907F529E7567827A80480D4F825DECC7C48900BCB57E
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFCE3F0DE558344BD6.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DFD08A79B797C6E59B.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3::
                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DFD70EE075D533C6D0.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):20480
                                                                                                                  Entropy (8bit):1.6188276798828047
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:G8PhPuRc06WXJEjT5gDfqISoedvPdvbCnuhnq9BnKYdStedvPdvxubS:ZhP1HjTeDSIciuBuhKG4
                                                                                                                  MD5:E19140D7252597256F99FE91881EAFF4
                                                                                                                  SHA1:B1D31EF2F45462E673F1498AFBCF702E62B40FB0
                                                                                                                  SHA-256:37E41200AA2745E731E0EDEB1847B845DBA0BC3166A1DD6D83C6116BBCAF0F2D
                                                                                                                  SHA-512:E963295BF2BECD01C2701A08465187BA920C9A1576F880F714B3E5C83940B165FAEC2CF2E31166E18F4A5264FD8FB88C677C84AAA3C2A2C3F015C3C3C7724F06
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD70EE075D533C6D0.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DFD7B1C880DA6F74FF.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3::
                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DFDB3F6F772F4F4C03.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3::
                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DFDCD3E3178C7DA434.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):49152
                                                                                                                  Entropy (8bit):1.000171095773316
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:4MMXukJveFXJfT5p2DfqISoedvPdvbCnuhnq9BnKYdStedvPdvxubS:QXaHTn2DSIciuBuhKG4
                                                                                                                  MD5:075C02E9EAFB9E054B6DFCBC20E08548
                                                                                                                  SHA1:D30E465EEA3A7D9D1A83AE552C3B0001C3179655
                                                                                                                  SHA-256:4C8F3208094672268D09926DC8B4983B49B5D33D16A1AF747A2717DC4D1F213B
                                                                                                                  SHA-512:FB3743282D9815A69100B2B3804880167A38BB7C3A7E6B01717D4D347D7F4C27F914A0C4497A75017C6D2F5562F4923DF28A519E8B94D622982F432F80419D72
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFDCD3E3178C7DA434.TMP, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFDCD3E3178C7DA434.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DFEF3CEE6A03484DCA.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):49152
                                                                                                                  Entropy (8bit):1.000171095773316
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:4MMXukJveFXJfT5p2DfqISoedvPdvbCnuhnq9BnKYdStedvPdvxubS:QXaHTn2DSIciuBuhKG4
                                                                                                                  MD5:075C02E9EAFB9E054B6DFCBC20E08548
                                                                                                                  SHA1:D30E465EEA3A7D9D1A83AE552C3B0001C3179655
                                                                                                                  SHA-256:4C8F3208094672268D09926DC8B4983B49B5D33D16A1AF747A2717DC4D1F213B
                                                                                                                  SHA-512:FB3743282D9815A69100B2B3804880167A38BB7C3A7E6B01717D4D347D7F4C27F914A0C4497A75017C6D2F5562F4923DF28A519E8B94D622982F432F80419D72
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFEF3CEE6A03484DCA.TMP, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFEF3CEE6A03484DCA.TMP, Author: Joe Security
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DFF46FCEEDB56261F1.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3::
                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Windows\Temp\~DFFCA68744B4BFEDE0.TMP

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):512
                                                                                                                  Entropy (8bit):0.0
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3::
                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  \Device\ConDrv

                                                                                                                  Download File
                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):2355
                                                                                                                  Entropy (8bit):4.981528504391193
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:48:s6Q/s1zRs1ziVNn7pItUdSl4s1zRs1ziVNn7pItUdSc:s6Q/gn/7p7Al4gn/7p7Ac
                                                                                                                  MD5:783BDAAA208F759D9B47345B0F940D5A
                                                                                                                  SHA1:8B67DB1BCDA26C7C8750007F466E003D37358113
                                                                                                                  SHA-256:CB6DDC9176F69F6453A3DCA3B20836541690DD211FB5027AA493ED5D5AEC701A
                                                                                                                  SHA-512:304C681CA3DC0417C0FD2DFE8BFB8E6F89DDB5DEEBD8374A3145422DF7BC71C0CE04F9B83E905A9AE3978A62A552A0B2D3F436F3D5F03178B0876F8346588DC8
                                                                                                                  Malicious:false
                                                                                                                  Reputation:unknown
                                                                                                                  Preview:2024-09-05 11:24:08.0661|ERROR|AgentPackageOsUpdates|Error executing command, args: getlistofallupdates..exception: System.AggregateException: One or more errors occurred. ---> System.Runtime.InteropServices.COMException: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it..... at WUApiLib.IUpdateSearcher.Search(String criteria).. at AgentPackageOsUpdates.OsUpdates.WindowsUpdates.WuApiService.GetUpdatesByQuery(String query).. at AgentPackageOsUpdates.OsUpdates.WindowsUpdates.WindowsUpdatesService.GetUpdates().. at AgentPackageOsUpdates.OsUpdates.OsUpdatesRetreiver.<Get>d__2.MoveNext()..--- End of stack trace from previous location where exception was thrown ---.. at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw().. at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSucces

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                  Entropy (8bit):7.878671241504918
                                                                                                                  TrID:
                                                                                                                  • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                  • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                  File name:SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi
                                                                                                                  File size:2'994'176 bytes
                                                                                                                  MD5:305302b116cf1affd6662385b845fad7
                                                                                                                  SHA1:de4d88c3f376f749b21a8eeb572a80bc481637b0
                                                                                                                  SHA256:fab822cc1d5b10a959de748250badb0f1244964942814046b74c41b8887c8c00
                                                                                                                  SHA512:a43452440d5b37176bba6e61c5c58e33dcf881c08cd7275826e6213bb8a39efdff2def3e95770c41ce1445692d55cb8665c0fd00d77808ec99574ba17624725a
                                                                                                                  SSDEEP:49152:P+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:P+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                  TLSH:1DD523117584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2E705C1AB76FB3
                                                                                                                  File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                  File Icon

                                                                                                                  Icon Hash:2d2e3797b32b2b99

                                                                                                                  Network Behavior

                                                                                                                  Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:11:23:03
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.3218.16257.msi"
                                                                                                                  Imagebase:0x7ff74c9d0000
                                                                                                                  File size:69'632 bytes
                                                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:1
                                                                                                                  Start time:11:23:03
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                  Imagebase:0x7ff74c9d0000
                                                                                                                  File size:69'632 bytes
                                                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:3
                                                                                                                  Start time:11:23:04
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 6BEB905C8354112D7E7BC21C1881079B
                                                                                                                  Imagebase:0xfb0000
                                                                                                                  File size:59'904 bytes
                                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:4
                                                                                                                  Start time:11:23:04
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:rundll32.exe "C:\Windows\Installer\MSIBA36.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4373156 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                  Imagebase:0xa20000
                                                                                                                  File size:61'440 bytes
                                                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.2063828795.0000000004534000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:5
                                                                                                                  Start time:11:23:05
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:rundll32.exe "C:\Windows\Installer\MSIBCE7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4373765 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                  Imagebase:0xa20000
                                                                                                                  File size:61'440 bytes
                                                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.2106152856.0000000005074000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.2106152856.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.2075226242.0000000004D26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:6
                                                                                                                  Start time:11:23:09
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:rundll32.exe "C:\Windows\Installer\MSICC98.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4377781 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                  Imagebase:0xa20000
                                                                                                                  File size:61'440 bytes
                                                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000006.00000003.2108722058.00000000041E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:7
                                                                                                                  Start time:11:23:09
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 98B428FB0154F0966007DE80009BCB6E E Global\MSI0000
                                                                                                                  Imagebase:0xfb0000
                                                                                                                  File size:59'904 bytes
                                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:8
                                                                                                                  Start time:11:23:09
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\SysWOW64\net.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"NET" STOP AteraAgent
                                                                                                                  Imagebase:0x180000
                                                                                                                  File size:47'104 bytes
                                                                                                                  MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:9
                                                                                                                  Start time:11:23:09
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:10
                                                                                                                  Start time:11:23:09
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                  Imagebase:0xd00000
                                                                                                                  File size:139'776 bytes
                                                                                                                  MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:11
                                                                                                                  Start time:11:23:10
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                  Imagebase:0xc60000
                                                                                                                  File size:74'240 bytes
                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:moderate
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:12
                                                                                                                  Start time:11:23:10
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:13
                                                                                                                  Start time:11:23:10
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="daniteixeiraca@gmail.com" /CompanyId="4" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000GIFLyIAP" /AgentId="7a7e43f1-0afc-4f50-8c61-339131846a69"
                                                                                                                  Imagebase:0x2c5ac430000
                                                                                                                  File size:145'968 bytes
                                                                                                                  MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2164936379.000002C5C6D18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2160988199.000002C5AE20C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000000.2121397249.000002C5AC432000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2159786802.000002C5AC606000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2159786802.000002C5AC621000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2160579005.000002C5AC870000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2159786802.000002C5AC6C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2160988199.000002C5AE209000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2159786802.000002C5AC690000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2159786802.000002C5AC642000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2160988199.000002C5AE232000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2160988199.000002C5AE181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2166236861.00007FF8489E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2164906312.000002C5C6CE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2160988199.000002C5AE2B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2164936379.000002C5C6D43000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2160988199.000002C5AE234000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2160988199.000002C5AE23A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2160988199.000002C5AE2FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2159786802.000002C5AC600000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 21%, ReversingLabs
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:14
                                                                                                                  Start time:11:23:14
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                  Imagebase:0x27b666b0000
                                                                                                                  File size:145'968 bytes
                                                                                                                  MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2602123621.0000027B7FC7F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2598077770.0000027B7F806000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B671F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2578516584.0000027B66760000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2579062937.0000027B66985000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2603432372.0000027B7FCC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2576012012.0000009983FB5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B6751F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B67493000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2598077770.0000027B7F775000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2579062937.0000027B6693B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B67451000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B67495000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B674E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2578123901.0000027B001F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B6717F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B67403000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B6777D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2579062937.0000027B66900000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B67680000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2578565254.0000027B66850000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2602123621.0000027B7FC5D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2602123621.0000027B7FCB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B67405000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2579062937.0000027B66908000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B670F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B6752C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2605293146.0000027B7FD3A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B67521000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B67648000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2578123901.0000027B001DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B67341000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2598077770.0000027B7F7AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2601654829.0000027B7FC30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2603432372.0000027B7FCDB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2580919878.0000027B67071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:15
                                                                                                                  Start time:11:23:14
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                  Imagebase:0x7ff707a80000
                                                                                                                  File size:72'192 bytes
                                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:16
                                                                                                                  Start time:11:23:14
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:17
                                                                                                                  Start time:11:23:15
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:rundll32.exe "C:\Windows\Installer\MSIE45B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4383859 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                  Imagebase:0xa20000
                                                                                                                  File size:61'440 bytes
                                                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000011.00000002.2212651176.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000011.00000002.2212651176.0000000004B31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000011.00000003.2170478630.00000000046DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:19
                                                                                                                  Start time:11:23:22
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "352bade9-39fc-4189-bf6a-41f552dd6fba" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000GIFLyIAP
                                                                                                                  Imagebase:0x13f415e0000
                                                                                                                  File size:176'176 bytes
                                                                                                                  MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2268622042.0000013F417BF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2268622042.0000013F4173C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2268622042.0000013F41773000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2269551322.0000013F41F93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2270476521.0000013F5A7A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2269430575.0000013F41DF2000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2269551322.0000013F41FA3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2268569474.0000013F41710000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2268622042.0000013F4177D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2268622042.0000013F41730000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000000.2244442728.0000013F415E2000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2269551322.0000013F41F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:20
                                                                                                                  Start time:11:23:22
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:21
                                                                                                                  Start time:11:23:23
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "34d7bbb1-2b8f-4bcd-964e-f5acf144e140" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000GIFLyIAP
                                                                                                                  Imagebase:0x1852e4c0000
                                                                                                                  File size:176'176 bytes
                                                                                                                  MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2272141138.000001852E618000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2272141138.000001852E655000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2273338686.000001852EEB3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2273338686.000001852EE41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2272141138.000001852E62B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2272141138.000001852E610000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2273338686.000001852EEFF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2273338686.000001852EEC3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2272141138.000001852E64D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2272141138.000001852E694000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2273338686.000001852EE87000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2271976628.000001852E580000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:22
                                                                                                                  Start time:11:23:23
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:23
                                                                                                                  Start time:11:23:25
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "47d6379b-c658-4e52-a133-db8b6d46f0d9" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000GIFLyIAP
                                                                                                                  Imagebase:0x1f108390000
                                                                                                                  File size:176'176 bytes
                                                                                                                  MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2284589508.000001F108C53000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2284589508.000001F108C43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2283597976.000001F108530000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2283821517.000001F1085CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2283821517.000001F108598000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2283821517.000001F108615000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2283821517.000001F108590000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2284589508.000001F108BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:24
                                                                                                                  Start time:11:23:25
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:25
                                                                                                                  Start time:11:23:26
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                  Imagebase:0x218684b0000
                                                                                                                  File size:145'968 bytes
                                                                                                                  MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.00000218007B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.0000021800064000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.00000218007AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.000002180033F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.000002180078D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.0000021800001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.0000021800220000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.0000021800492000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2991860336.0000021869A7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2961986223.0000021868560000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.0000021800335000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.00000218005DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2964085586.000002186871C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.00000218000EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.00000218004CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.0000021800267000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.00000218004B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.00000218005A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.00000218003D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.000002180023B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.00000218003EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.00000218004C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2963377869.00000218686B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.000002180083A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2964085586.0000021868766000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2991860336.0000021869AB6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2964085586.0000021868719000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2796742101.000000B0DAD35000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2991860336.0000021869A58000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2964085586.00000218686E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.0000021800241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.00000218006F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.0000021800584000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2964085586.00000218687A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.00000218006ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.000002180090C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2991860336.0000021869B0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2964085586.00000218686E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2978934094.0000021869540000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2978934094.00000218694F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.00000218009B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.0000021800377000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.000002180094C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2806807839.000000B0DD1F4000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.00000218004E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.0000021800548000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2991860336.0000021869A64000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.2807215547.0000021800713000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:26
                                                                                                                  Start time:11:23:26
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                  Imagebase:0x7ff707a80000
                                                                                                                  File size:72'192 bytes
                                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:27
                                                                                                                  Start time:11:23:26
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:28
                                                                                                                  Start time:11:23:26
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "8cc942ae-3bdb-4222-9453-2ed70848cfc7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000GIFLyIAP
                                                                                                                  Imagebase:0x2263b740000
                                                                                                                  File size:176'176 bytes
                                                                                                                  MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2437275862.000002263C274000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2436689591.000002263BA80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2437275862.000002263C246000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2434672436.000002263B857000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2437275862.000002263C0E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2452375712.0000022654B61000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2437275862.000002263C206000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2451150229.0000022654AF3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2437275862.000002263C1AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2450223434.000002265499D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2434672436.000002263B810000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2434672436.000002263B82F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2437275862.000002263C249000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2450621949.00000226549F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2437275862.000002263C20D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2437275862.000002263C607000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2437275862.000002263C2C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2437275862.000002263C279000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2434672436.000002263B84B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2434672436.000002263B898000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2437275862.000002263C051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:29
                                                                                                                  Start time:11:23:27
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:30
                                                                                                                  Start time:11:23:27
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                  Imagebase:0x7ff6a7f30000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2364593765.000001F906F10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2364593765.000001F906F1B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000003.2294609465.000001F907180000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2364821754.000001F907160000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2364593765.000001F906F33000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:31
                                                                                                                  Start time:11:23:27
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:32
                                                                                                                  Start time:11:23:27
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\cscript.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                  Imagebase:0x7ff769110000
                                                                                                                  File size:161'280 bytes
                                                                                                                  MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2363436917.000002C3676A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:33
                                                                                                                  Start time:11:23:28
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\sppsvc.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                                  Imagebase:0x7ff632ac0000
                                                                                                                  File size:4'630'384 bytes
                                                                                                                  MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:34
                                                                                                                  Start time:11:23:32
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "585ea9f2-ff62-42b1-8621-32f89cbd700f" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000GIFLyIAP
                                                                                                                  Imagebase:0x269e48c0000
                                                                                                                  File size:396'336 bytes
                                                                                                                  MD5 hash:B50005A1A62AFA85240D1F65165856EB
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2391278461.00000269FE9F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2380691148.00000269E4A60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2391430256.00000269FEA06000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2391546431.00000269FEC9A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2381964304.00000269E4CD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2388012880.00000269FDAC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2380691148.00000269E4AEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2381697266.00000269E4CA2000.00000002.00000001.01000000.0000001C.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2380691148.00000269E4A6C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2382587021.00000269E536D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2380691148.00000269E4AA2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000000.2342760248.00000269E48C2000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2406223672.00007FF89FF79000.00000004.00000001.01000000.0000001B.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2380074514.00000269E49B0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2391241657.00000269FE7F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2382587021.00000269E581F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2382587021.00000269E5281000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:35
                                                                                                                  Start time:11:23:32
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:36
                                                                                                                  Start time:11:23:35
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k smphost
                                                                                                                  Imagebase:0x7ff7e52b0000
                                                                                                                  File size:55'320 bytes
                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:38
                                                                                                                  Start time:11:23:58
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "207c764f-7b5e-4361-b17c-c2a6bd7d6267" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000GIFLyIAP
                                                                                                                  Imagebase:0x1d53fb60000
                                                                                                                  File size:176'176 bytes
                                                                                                                  MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2810177979.000001D53FC84000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2821800701.000001D5404B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2821800701.000001D540A40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2908384954.000001D559010000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2810177979.000001D53FC40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2810177979.000001D53FCC9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2890995099.000001D558DCC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2889513375.000001D558DA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2821800701.000001D5409F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2821800701.000001D5404F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2904940607.000001D558FB2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2890995099.000001D558DD9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2810177979.000001D53FC7B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2821800701.000001D5409B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2821800701.000001D540471000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2821800701.000001D540A3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2810177979.000001D53FC5B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2821800701.000001D540644000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2821800701.000001D5404E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2819356519.000001D53FEE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:39
                                                                                                                  Start time:11:23:58
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:40
                                                                                                                  Start time:11:23:58
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                  Imagebase:0x7ff6a7f30000
                                                                                                                  File size:289'792 bytes
                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000003.2605412856.000002172A390000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2758180315.000002172A370000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2755972710.000002172A1C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2755972710.000002172A1A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2755972710.000002172A1AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:41
                                                                                                                  Start time:11:23:58
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:42
                                                                                                                  Start time:11:23:58
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\cscript.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                  Imagebase:0x7ff769110000
                                                                                                                  File size:161'280 bytes
                                                                                                                  MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2719790084.000001B559340000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:43
                                                                                                                  Start time:11:24:00
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "4e65690f-3e0c-4d9e-964f-8895324bb3ff" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000GIFLyIAP
                                                                                                                  Imagebase:0x244861c0000
                                                                                                                  File size:52'272 bytes
                                                                                                                  MD5 hash:6095B43FA565DA44E7A818CFB4BACBA2
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2926559409.00000244864C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2914256319.0000024486282000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2977107535.000002449F494000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2980050197.000002449F4F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2928832701.0000024486BA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2928832701.0000024486A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2928832701.0000024486CB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2914256319.00000244862C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2911067057.0000007C23AF2000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2927622612.0000024486520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2980050197.000002449F4AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2914256319.000002448624C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2914256319.0000024486240000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2977107535.000002449F460000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000000.2617750941.00000244861C2000.00000002.00000001.01000000.00000026.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000002.2980050197.000002449F49F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:44
                                                                                                                  Start time:11:24:00
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:45
                                                                                                                  Start time:11:24:02
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "f721374f-3fe2-4b5f-8eec-11d640442926" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000GIFLyIAP
                                                                                                                  Imagebase:0x1cb82700000
                                                                                                                  File size:33'328 bytes
                                                                                                                  MD5 hash:38D0C4B048371940F8091F7237A4CAFC
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3733328798.000001CB9B890000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3314224341.000001CB828D4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3733328798.000001CB9B8E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3314224341.000001CB828B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000000.2645318451.000001CB82702000.00000002.00000001.01000000.00000027.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3313884648.000001CB82870000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3314224341.000001CB828F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3314224341.000001CB828BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3732158656.000001CB9B712000.00000002.00000001.01000000.0000004E.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3320390097.000001CB82FAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3320390097.000001CB82F92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3319498796.000001CB82F02000.00000002.00000001.01000000.0000004D.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3314224341.000001CB8293F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3314224341.000001CB82901000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3311782814.0000002ED9F51000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.3320390097.000001CB82F31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:46
                                                                                                                  Start time:11:24:03
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:47
                                                                                                                  Start time:11:24:03
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "e356d6d4-7cbe-4df1-bcc8-05bbf73f1e8a" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000GIFLyIAP
                                                                                                                  Imagebase:0x2d683890000
                                                                                                                  File size:73'264 bytes
                                                                                                                  MD5 hash:00A4D22D776D110ADCC63F0C567131C6
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2674549384.000002D683A6C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2674549384.000002D683AA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2674549384.000002D683AA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2705317497.000002D684350000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2705317497.000002D684298000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2674549384.000002D683A60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2696677419.000002D683CA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2674549384.000002D683AED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000000.2647790418.000002D683892000.00000002.00000001.01000000.00000028.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2705317497.000002D684221000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:48
                                                                                                                  Start time:11:24:03
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:49
                                                                                                                  Start time:11:24:04
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                                                                                                  Imagebase:0x26489ad0000
                                                                                                                  File size:52'272 bytes
                                                                                                                  MD5 hash:6095B43FA565DA44E7A818CFB4BACBA2
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2783599588.0000026489BA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2811624912.0000026489DB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2783599588.0000026489BBF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2783599588.0000026489C26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2783599588.0000026489BA8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2783599588.0000026489BDE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2816243868.000002648A541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2816243868.000002648A5C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:50
                                                                                                                  Start time:11:24:05
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:51
                                                                                                                  Start time:11:24:05
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "36f22a95-55e4-49cb-a2d9-ea5984df366a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000GIFLyIAP
                                                                                                                  Imagebase:0x215fd610000
                                                                                                                  File size:219'696 bytes
                                                                                                                  MD5 hash:01807774F043028EC29982A62FA75941
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2716685556.000002158001E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2767597626.00000215FD7ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2716685556.000002158022B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2716685556.0000021580225000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2716685556.0000021580227000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2716685556.000002158022E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2716685556.0000021580001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2716685556.0000021580235000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2716685556.0000021580233000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2784580394.00000215FE95E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000000.2668715578.00000215FD612000.00000002.00000001.01000000.00000029.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2767597626.00000215FD760000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2767597626.00000215FD7A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2716685556.000002158023A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2784580394.00000215FE917000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2716685556.0000021580229000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2767597626.00000215FD76C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2767597626.00000215FD785000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2761259556.00000215FD700000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2784580394.00000215FE8C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2784580394.00000215FE8B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2716685556.000002158016F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2716685556.0000021580020000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:52
                                                                                                                  Start time:11:24:05
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:53
                                                                                                                  Start time:11:24:05
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "03c91351-843b-4c54-8a6f-6ddae72fa65a" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000GIFLyIAP
                                                                                                                  Imagebase:0x2944d9b0000
                                                                                                                  File size:197'680 bytes
                                                                                                                  MD5 hash:C0C8815ACF3A7BD323512DFEA1B0ABF0
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2718479214.000002944DBB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2758503201.000002944E506000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2743008308.000002944DD70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2758503201.000002944E600000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2758503201.000002944E95D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2804841516.0000029466BD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2739226591.000002944DD52000.00000002.00000001.01000000.00000033.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2718479214.000002944DC3D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2758503201.000002944E480000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2758503201.000002944E411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2718479214.000002944DC59000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2718479214.000002944DBBC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2758503201.000002944E94A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2718479214.000002944DBF1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2804841516.0000029466C55000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2758503201.000002944E493000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000000.2675329099.000002944D9B2000.00000002.00000001.01000000.0000002A.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2758503201.000002944E678000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:54
                                                                                                                  Start time:11:24:06
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:55
                                                                                                                  Start time:11:24:06
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "1d983d41-867d-46f7-858b-ce7cf9dfe8cc" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000GIFLyIAP
                                                                                                                  Imagebase:0x1db5c310000
                                                                                                                  File size:27'696 bytes
                                                                                                                  MD5 hash:797C9554EC56FD72EBB3F6F6BEF67FB5
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2728987603.000001DB5C4B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2762286308.000001DB5CF30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2751813635.000001DB5C700000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2728987603.000001DB5C4BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2776078400.000001DB754BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2728987603.000001DB5C4FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2728987603.000001DB5C4F2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2728987603.000001DB5C53E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2754905148.000001DB5C752000.00000002.00000001.01000000.00000036.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2762286308.000001DB5CDE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:56
                                                                                                                  Start time:11:24:06
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:57
                                                                                                                  Start time:11:24:07
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                                                                                                  Imagebase:0x7ff74c9d0000
                                                                                                                  File size:69'632 bytes
                                                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.2900305278.0000013FED555000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.2900557273.0000013FED555000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2902136874.0000013FEDE9E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.2780673347.0000013FEDE9E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.2851003221.0000013FED620000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.2853804669.0000013FEDE9E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.2900201414.0000013FEDE9E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2901823313.0000013FED555000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.2895959502.0000013FED620000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:58
                                                                                                                  Start time:11:24:07
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 7a7e43f1-0afc-4f50-8c61-339131846a69 "8e1a3aa9-ed84-4ede-9655-ef0091e8bc20" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000GIFLyIAP
                                                                                                                  Imagebase:0x2961cc50000
                                                                                                                  File size:53'296 bytes
                                                                                                                  MD5 hash:6E034C46991A649567D61B8124D6E59F
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2806142232.000002961CE60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2806142232.000002961CEE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2822805972.000002961D7B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2822805972.000002961DD5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2816885449.000002961D140000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2822805972.000002961DE64000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2901425753.0000029635E70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2822805972.000002961DA85000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2822805972.000002961D8AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2806142232.000002961CEA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000000.2687330507.000002961CC52000.00000002.00000001.01000000.0000002C.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2822805972.000002961DE1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2822805972.000002961D906000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2806142232.000002961CE9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2822805972.000002961DDA3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2903899814.0000029635ED3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2822805972.000002961DABE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:59
                                                                                                                  Start time:11:24:07
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:60
                                                                                                                  Start time:11:24:08
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 41990507C01A0A78CED2BEEF0F9E4459 E Global\MSI0000
                                                                                                                  Imagebase:0xfb0000
                                                                                                                  File size:59'904 bytes
                                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:61
                                                                                                                  Start time:11:24:08
                                                                                                                  Start date:05/09/2024
                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:rundll32.exe "C:\Windows\Installer\MSIB567.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4437562 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                  Imagebase:0xa20000
                                                                                                                  File size:61'440 bytes
                                                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000003.2710479187.0000000004D38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Has exited:true

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Executed Functions

                                                                                                                    Function 047B1630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: $]q$$]q
                                                                                                                    • API String ID: 0-127220927
                                                                                                                    • Opcode ID: c88921e3238ae6c9a0ee88606304d4cacef0ff7c8ccc155539a15fd79640da25
                                                                                                                    • Instruction ID: 6891bc5581e2699abd7e160f2619f13324ccbed4bbb2f3021835d4c72f1e58b9
                                                                                                                    • Opcode Fuzzy Hash: c88921e3238ae6c9a0ee88606304d4cacef0ff7c8ccc155539a15fd79640da25
                                                                                                                    • Instruction Fuzzy Hash: 8C51DF31B002099FDB15DF78D8646EEBBBAEFC9390B54842AD848D7364DA30AD06C7D1
                                                                                                                    Function 047B1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: a6ea7570be69ca373f27f73bea7758d6e442ea01fefc7a108618861223697956
                                                                                                                    • Instruction ID: 19a99b06de8891ae33385f2ca55fa4c7ce733c7d28e68a9a1da3429ddf1f85a4
                                                                                                                    • Opcode Fuzzy Hash: a6ea7570be69ca373f27f73bea7758d6e442ea01fefc7a108618861223697956
                                                                                                                    • Instruction Fuzzy Hash: 73719331B002149FEB049BB6C8647AEB7E7EFC8354F158425D906DB3A5EE74EC028791
                                                                                                                    Function 047B0E8C Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: 97abecfd9be12b96dc94e99c243c81a53ad6004eefe50b130251eb9d1faf3a02
                                                                                                                    • Instruction ID: d2a941a43fb4ac02c29c3c6cf7ef28f47cce17681e5d8f0c069b674786e9ef7c
                                                                                                                    • Opcode Fuzzy Hash: 97abecfd9be12b96dc94e99c243c81a53ad6004eefe50b130251eb9d1faf3a02
                                                                                                                    • Instruction Fuzzy Hash: 25412931B011051BE718AAAA84787FF6BE6DFC8314F50882DD906AB391DE34BC0683D1
                                                                                                                    Function 047B2644 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: d9bce6cde03446c16b64d69167aaa7f8ccc5c74e61894cf99db31e272caf9145
                                                                                                                    • Instruction ID: 197f2466ae6a40cafbad387f6babb46fbdb0f35cabc077862f1cecdb85399a8e
                                                                                                                    • Opcode Fuzzy Hash: d9bce6cde03446c16b64d69167aaa7f8ccc5c74e61894cf99db31e272caf9145
                                                                                                                    • Instruction Fuzzy Hash: 4C31292170A3540BEB291A7654683FF2FDA9FC1618F1484EAD981CB393ED68EC0653E1
                                                                                                                    Function 047B0C1C Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: c6449d4dfc7e92794b2b1042a127f6917734106fe496fbefed66151126bfa72c
                                                                                                                    • Instruction ID: 3e7ee6581e4e4fd3815cddf138edc64d5908ea8449d144ec83b7d2a9c25749ae
                                                                                                                    • Opcode Fuzzy Hash: c6449d4dfc7e92794b2b1042a127f6917734106fe496fbefed66151126bfa72c
                                                                                                                    • Instruction Fuzzy Hash: 3631F6207093855BE7056B3958243EA7FF2EF86354F5484AAD581EB386DD64AC06C3D1
                                                                                                                    Function 047B2764 Relevance: .4, Instructions: 396COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4e770be07651b0a0227b84d7bc1c22ea7ceb394d908eb94b57ac4805bbe897dd
                                                                                                                    • Instruction ID: 5c8e203ff909f9b3142acb86bceff28e20bcadcaa2f5341f4f9dee0868efb594
                                                                                                                    • Opcode Fuzzy Hash: 4e770be07651b0a0227b84d7bc1c22ea7ceb394d908eb94b57ac4805bbe897dd
                                                                                                                    • Instruction Fuzzy Hash: 33E02B70C063099F8760EFAA88053DABFF1BA5530475082FAC848D7311F632E5438BD1
                                                                                                                    Function 047B23B8 Relevance: .2, Instructions: 185COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 34b18965e0de3b64157dd43f0f0c9a675411f684290cd7f885f78c978bf46327
                                                                                                                    • Instruction ID: 0057b0b51abbd2d2eb1b58366849910c31e4dbe50c77cf4670b1e8c52e3595ad
                                                                                                                    • Opcode Fuzzy Hash: 34b18965e0de3b64157dd43f0f0c9a675411f684290cd7f885f78c978bf46327
                                                                                                                    • Instruction Fuzzy Hash: F151E031B062158FCB11CF68D898AAABBF5EF45308B1581E6D558DB363EA31EC42C7D1
                                                                                                                    Function 047B2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 51a7d1522f3c6e8bc510a6dea353afab3c12bec56624fd328066c926d9b44998
                                                                                                                    • Instruction ID: 5b2163ac7247f84f3a1a90a685fb4c8dee2d28d6a3426bbe4aa5dd3c04252eea
                                                                                                                    • Opcode Fuzzy Hash: 51a7d1522f3c6e8bc510a6dea353afab3c12bec56624fd328066c926d9b44998
                                                                                                                    • Instruction Fuzzy Hash: DA411835B112049FCB54DF69D8849DEBBB2FF88714B10816AE905EB361EB31EC42CB90
                                                                                                                    Function 047B2664 Relevance: .1, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: acb66194a45185964bf0d17c463fc7242d8a99167308704b0d48fa415fdacaa3
                                                                                                                    • Instruction ID: 3860ed37180f1409936b540e15d262dfbbbff021f45368e08c73c96b698a0e07
                                                                                                                    • Opcode Fuzzy Hash: acb66194a45185964bf0d17c463fc7242d8a99167308704b0d48fa415fdacaa3
                                                                                                                    • Instruction Fuzzy Hash: 41216B356473546FD30225B5242D3EA3F58CF42265F1088E3EF889B363E928A84E93E0
                                                                                                                    Function 047B1050 Relevance: .1, Instructions: 88COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e84b3bba3866cc5d91400f626124656c310ab0cfb5b1d1d1016789912ce722ed
                                                                                                                    • Instruction ID: ce3f946f22fe3ff864026d28e33aed96b4b6e381b549640585b8e193c1e52d57
                                                                                                                    • Opcode Fuzzy Hash: e84b3bba3866cc5d91400f626124656c310ab0cfb5b1d1d1016789912ce722ed
                                                                                                                    • Instruction Fuzzy Hash: D7214B32B012689BDB009E7AC8647EE7BEADF84284F444076C942DB355FA34ED06C3D0
                                                                                                                    Function 047B2258 Relevance: .1, Instructions: 66COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a1f70c911d94cf18a761fb62a0417b79ff2fcf3bcf826ca83a83918b554bbb91
                                                                                                                    • Instruction ID: b8a14a537401d1529ed59db49a7ca31a19085e7c0d967bc3368767604fad3cc7
                                                                                                                    • Opcode Fuzzy Hash: a1f70c911d94cf18a761fb62a0417b79ff2fcf3bcf826ca83a83918b554bbb91
                                                                                                                    • Instruction Fuzzy Hash: 25215E75E112089FCB44DF69D888ADEBBF5FF4C710B10816AE905EB321DB31A841CB90
                                                                                                                    Function 047B1958 Relevance: .1, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 99f6a9aaf4795bab4a12616167948e475ff924c59b0f273f1f3c53c9e9bab453
                                                                                                                    • Instruction ID: 17aa5c5f8d4256e648df7d927ec34190ed562b271819b510d67451ca2e259656
                                                                                                                    • Opcode Fuzzy Hash: 99f6a9aaf4795bab4a12616167948e475ff924c59b0f273f1f3c53c9e9bab453
                                                                                                                    • Instruction Fuzzy Hash: F921A231600254EFCB04CFA6D458AE9BBF2EF8C324F145019E40AEB351DB79AC45CB90
                                                                                                                    Function 047B1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f0464643109f94b566f9699c4b6c8ca98e7458a8088cb7c3df7542c73d6b6a18
                                                                                                                    • Instruction ID: 33917d88536f2a28847ac9f94e74ffd8d31c556545af4143cfd6e87ce1045dc6
                                                                                                                    • Opcode Fuzzy Hash: f0464643109f94b566f9699c4b6c8ca98e7458a8088cb7c3df7542c73d6b6a18
                                                                                                                    • Instruction Fuzzy Hash: D72113B0D002498EDB10DFAAC485AEEFBF0FF88314F14852AD459A7240C779A945CFA1
                                                                                                                    Function 047B1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6245a4e1bdeb1b6d12024e84434bd026afa842a737a02ae7485c9d56481c3024
                                                                                                                    • Instruction ID: f3d17f320581f839609e977f46e2c25919ac95afbc97394e4f576b569aa86614
                                                                                                                    • Opcode Fuzzy Hash: 6245a4e1bdeb1b6d12024e84434bd026afa842a737a02ae7485c9d56481c3024
                                                                                                                    • Instruction Fuzzy Hash: 9A1114B4D002498FDB10DFAAC484AEEFBF4FF48314F50842AD559A7240CB79A945CFA1
                                                                                                                    Function 047B1440 Relevance: .1, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5da5c558df37e7337016f3ba3dc3e7f16b5054ba71241d9296b2318a0c67ddb0
                                                                                                                    • Instruction ID: 8394d298966f3ab6c3aef0d6e2e83b7fc5066eef68af14934d902124fa8ed368
                                                                                                                    • Opcode Fuzzy Hash: 5da5c558df37e7337016f3ba3dc3e7f16b5054ba71241d9296b2318a0c67ddb0
                                                                                                                    • Instruction Fuzzy Hash: C801D83061A3455FC7099F7969312567FE9EEC225830909AAD94ACF2A3F928D805C3D1
                                                                                                                    Function 047B1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f85e90f166e165cb1691311f19db1e310d4d843ff6adbcbf83f445cfc7615c08
                                                                                                                    • Instruction ID: 340b2980d2adce43b7ab47b74bdca13f1ea51343b59816e505c0723c91bc11c2
                                                                                                                    • Opcode Fuzzy Hash: f85e90f166e165cb1691311f19db1e310d4d843ff6adbcbf83f445cfc7615c08
                                                                                                                    • Instruction Fuzzy Hash: 84114F31600215EFCB04DFA5D454AA97BF6EF8C324F145019E81AEB391EF796C45CB90
                                                                                                                    Function 047B182B Relevance: .0, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f4a57e85de983a59c6aadd1fc7fbab0289fc83e0a1100cb83737df05ceb42dc9
                                                                                                                    • Instruction ID: 683ff297a3c3045551e2156dc26450faab96c09f497be091aebb277f392e4614
                                                                                                                    • Opcode Fuzzy Hash: f4a57e85de983a59c6aadd1fc7fbab0289fc83e0a1100cb83737df05ceb42dc9
                                                                                                                    • Instruction Fuzzy Hash: 7901F270A0010597E718EA6885697EFBFF6EBC8354F14812DD046B7380CE756D0687D0
                                                                                                                    Function 047B2A98 Relevance: .0, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: df6e3f65412e27dc2099576214598c56e55ef1574ccbce175fc5a4f0fd21568e
                                                                                                                    • Instruction ID: cc2d72ff31727d25f58aa90d8353df05fa7d027719cce85398368551aed24b17
                                                                                                                    • Opcode Fuzzy Hash: df6e3f65412e27dc2099576214598c56e55ef1574ccbce175fc5a4f0fd21568e
                                                                                                                    • Instruction Fuzzy Hash: 45F0FC357073401B9735595764CC7FB6B5A9F86764B0490E6DE85C7353D9147C0161E0
                                                                                                                    Function 0451D006 Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2066115288.000000000451D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0451D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_451d000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6637c4e1667449534ebe776141c1fb3ceaf5f0e79d33246c2ad8feeef2344a47
                                                                                                                    • Instruction ID: b8e63dc2a790f887caa12c47137b5652bbd5d0d11ab2a0ce1088e87742d6a4a9
                                                                                                                    • Opcode Fuzzy Hash: 6637c4e1667449534ebe776141c1fb3ceaf5f0e79d33246c2ad8feeef2344a47
                                                                                                                    • Instruction Fuzzy Hash: 40015E7140E3C09EE7128B259C94B52BFB4EF43224F1D81DBD9888F2A7C2696849C772
                                                                                                                    Function 0451D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.2066115288.000000000451D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0451D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_451d000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2e5efb35b2e7bb7eaae1fa185753f0197c3eccfdaee91d963b47ee10186d24f2
                                                                                                                    • Instruction ID: 73204fbea404b5b14b83e11bad390b787668ec6d176bfe58b47ad6ee575b6210
                                                                                                                    • Opcode Fuzzy Hash: 2e5efb35b2e7bb7eaae1fa185753f0197c3eccfdaee91d963b47ee10186d24f2
                                                                                                                    • Instruction Fuzzy Hash: 9301FC715043049DF7108E19E984B67BFA8FF41360F18C519DD480A156E279B845D6B1
                                                                                                                    Function 047B1431 Relevance: .0, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ee6432d366a2986b7c7c16550aa93e7f1ee7d2e4b9aeb22ea50d8f4b52626749
                                                                                                                    • Instruction ID: a58a2cc23ef5fbd8a780807e984d016d8230fdb74bb7820f3d6f25b9a6a54bfd
                                                                                                                    • Opcode Fuzzy Hash: ee6432d366a2986b7c7c16550aa93e7f1ee7d2e4b9aeb22ea50d8f4b52626749
                                                                                                                    • Instruction Fuzzy Hash: 1DF0C8306052055FC70D9F7A59756557FD9EEC2358304086ED546CF292F9289901C3D1
                                                                                                                    Function 047B25D1 Relevance: .0, Instructions: 34COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 07467e93e4c392664e8ab7e4568c4f909ffcb7495be8742aba7d07cbb13affe8
                                                                                                                    • Instruction ID: 9db1d7324c08ce6ffc089c52bfb00d5d776ec017e61cfa9487586fb6cffe3dbf
                                                                                                                    • Opcode Fuzzy Hash: 07467e93e4c392664e8ab7e4568c4f909ffcb7495be8742aba7d07cbb13affe8
                                                                                                                    • Instruction Fuzzy Hash: E3F02437B141444BCB0C8A29E0197ED7BB6DBC8211B1080AED522A7380EF35590EC790
                                                                                                                    Function 047B25E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f1021e100240ea077aaee253ab4c551f00cfb70de36e97372574b73e26ad16ce
                                                                                                                    • Instruction ID: 7c9c8f3629b649966482fff7c6a72c1f8a61846e4bd49f57d1774dd594cf26c0
                                                                                                                    • Opcode Fuzzy Hash: f1021e100240ea077aaee253ab4c551f00cfb70de36e97372574b73e26ad16ce
                                                                                                                    • Instruction Fuzzy Hash: 85E0E532B141144BCB0C9A69E4185EDB7BAEBC8211B118036D917A3340EF741D0DCBA1
                                                                                                                    Function 047B2654 Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 27dec7f8908a171d8fa854abee36e540124f3e49cf475ee736dd44615b73c987
                                                                                                                    • Instruction ID: b82254c95cb3021ef9e1307b04b425ce792fa8e6e59fe918d6f759d28c03c977
                                                                                                                    • Opcode Fuzzy Hash: 27dec7f8908a171d8fa854abee36e540124f3e49cf475ee736dd44615b73c987
                                                                                                                    • Instruction Fuzzy Hash: 6AE0652171721802FB282D69591C7E726CE8B8060CF1008BAC881C7B83FDC4F84412E6
                                                                                                                    Function 047B2590 Relevance: .0, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a5769b3ddc0f344025d71383d3ca9304b9f71900f155e7b0c18ccf53985b36f0
                                                                                                                    • Instruction ID: c8d52eee649eab7fc6160f3cce30a5129cafe207fb0eaa847f74550e306969d8
                                                                                                                    • Opcode Fuzzy Hash: a5769b3ddc0f344025d71383d3ca9304b9f71900f155e7b0c18ccf53985b36f0
                                                                                                                    • Instruction Fuzzy Hash: 05E086314162400ED3095BF5B96AAC42F95EE8611030289E6D2409F277EE24784E92D5
                                                                                                                    Function 047B17F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 27093792e951ac77973edf420c972f08867d95c4cb2d046b8b82652222671a74
                                                                                                                    • Instruction ID: ab136e41e2cf19705e1048a16d01d9edcda9f24d4ce68129e52e080e1feea50c
                                                                                                                    • Opcode Fuzzy Hash: 27093792e951ac77973edf420c972f08867d95c4cb2d046b8b82652222671a74
                                                                                                                    • Instruction Fuzzy Hash: EAE02B3311D2940FC3061F20B9160D53F74D75A25030540A3E98187362CD612D16D7D0
                                                                                                                    Function 047B0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e8c80cffe7d2d2c8277c58ee80fa125bf6cf98464e0651f8c46f96518b774393
                                                                                                                    • Instruction ID: dfa564a54a382401ed8a257e3c246443de77cec7ab22297ccd1bf29868b88c62
                                                                                                                    • Opcode Fuzzy Hash: e8c80cffe7d2d2c8277c58ee80fa125bf6cf98464e0651f8c46f96518b774393
                                                                                                                    • Instruction Fuzzy Hash: BCD0A7327150186F52046A5AD8599FA7BD9EB843A03514433FA4283320DD70BC04C7D5
                                                                                                                    Function 047B2A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bbf0bf858d8382096249a9092b691403c00d0c9c12c7cf76f1cb117d79e16e6f
                                                                                                                    • Instruction ID: 2232366bd9094a188d63a6a3a9ebd6de675d87baf6f2b4f7003d7f3af50db1b8
                                                                                                                    • Opcode Fuzzy Hash: bbf0bf858d8382096249a9092b691403c00d0c9c12c7cf76f1cb117d79e16e6f
                                                                                                                    • Instruction Fuzzy Hash: 32E0EC70D052099F8750EFB9850565ABBF4AB48604B5085A98448D7301F63295028BD1
                                                                                                                    Function 047B0440 Relevance: .0, Instructions: 15COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000003.2065005228.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c0ac3e95c47ac69765f0a9a77fd767908ab588c42bfcdf7a2a723387c08ddecb
                                                                                                                    • Instruction ID: c020507ac903aa1a4a920c2b885ea615355287664188d0d9f0fd54d56006cefb
                                                                                                                    • Opcode Fuzzy Hash: c0ac3e95c47ac69765f0a9a77fd767908ab588c42bfcdf7a2a723387c08ddecb
                                                                                                                    • Instruction Fuzzy Hash: C3D0A77511D3C16FC30347950458499BF70FE6330CB8E8286C0C59C113D329D452D3B1

                                                                                                                    Executed Functions

                                                                                                                    Function 073D71D0 Relevance: 8.6, Strings: 6, Instructions: 1071COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104860310.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_73d0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: Pl]q$Pl]q$Pl]q$Pl]q$Pl]q$x bq
                                                                                                                    • API String ID: 0-3088629338
                                                                                                                    • Opcode ID: 9b632fb32e83fcd2b6248d258f688df26ccf277b84296eda9feeec2e543506a0
                                                                                                                    • Instruction ID: e635b8c387f1e4b8f20968c717006b0dde82acb39ccfc4947f41768b183d9900
                                                                                                                    • Opcode Fuzzy Hash: 9b632fb32e83fcd2b6248d258f688df26ccf277b84296eda9feeec2e543506a0
                                                                                                                    • Instruction Fuzzy Hash: 63927EB5700205CFEB14DF68D984A6ABBF6FF88304F148469E44A9B365DB34EC41CB91
                                                                                                                    Function 073D0040 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104860310.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_73d0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: \;]q
                                                                                                                    • API String ID: 0-2696284100
                                                                                                                    • Opcode ID: e9b0b50d4f3f2c456e3983f580fea43b8511592249a23e62013af9fce1ed3622
                                                                                                                    • Instruction ID: 798955921ccebe1e0636b86afff180dbc1ede35c5dc7a86ef9cdd0b57dbca0b5
                                                                                                                    • Opcode Fuzzy Hash: e9b0b50d4f3f2c456e3983f580fea43b8511592249a23e62013af9fce1ed3622
                                                                                                                    • Instruction Fuzzy Hash: 8D228D71E1021ACFEB14DF74D84469DB7B6FF89304F1182A9E849AB211EB74ED85CB50
                                                                                                                    Function 04F9B4F7 Relevance: .1, Instructions: 137COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a11719d6323375f7473ac01b0e3c021f6fbc9c0c8bb8ca4d55418f4f6b937910
                                                                                                                    • Instruction ID: c51f1a89477b2451f273fb3df31342c330d210add25de2a89f21e03d80eeb0e1
                                                                                                                    • Opcode Fuzzy Hash: a11719d6323375f7473ac01b0e3c021f6fbc9c0c8bb8ca4d55418f4f6b937910
                                                                                                                    • Instruction Fuzzy Hash: B641613190E3D59FDB039B38D9A09963FB5AF43214B0940E3D480CF1A3DA68AC59C7A6
                                                                                                                    Function 04F9746A Relevance: 20.9, Strings: 16, Instructions: 922COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: _q$$&^q$(_]q$4']q$4']q$4']q$4']q$4c]q$4c]q$@b]q$|-^q$$]q$$]q$c]q$c]q$_q
                                                                                                                    • API String ID: 0-4224596466
                                                                                                                    • Opcode ID: 3e3f755b816878bd99dbd27757d6274a90bde6584ef377102aeacf4d715f5b7a
                                                                                                                    • Instruction ID: 62b65f96323b9ee223f0e3739d1bde1db863e02b63a7539467bca90cc6e311dd
                                                                                                                    • Opcode Fuzzy Hash: 3e3f755b816878bd99dbd27757d6274a90bde6584ef377102aeacf4d715f5b7a
                                                                                                                    • Instruction Fuzzy Hash: F9A22770A40218DFDB269F64C940AEEBBB6FF49300F1045E9D5096B2A4DF399E84CF91
                                                                                                                    Function 04F974C0 Relevance: 20.9, Strings: 16, Instructions: 867COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: _q$$&^q$(_]q$4']q$4']q$4']q$4']q$4c]q$4c]q$@b]q$|-^q$$]q$$]q$c]q$c]q$_q
                                                                                                                    • API String ID: 0-4224596466
                                                                                                                    • Opcode ID: 0788f56a39139e8ccde8e8ec528db3730e97287946352c3ab417c7179b7ce6fa
                                                                                                                    • Instruction ID: 08a57abac70490e2624c582b43bbf7432e57da7d2383d6366116f1ddb426094b
                                                                                                                    • Opcode Fuzzy Hash: 0788f56a39139e8ccde8e8ec528db3730e97287946352c3ab417c7179b7ce6fa
                                                                                                                    • Instruction Fuzzy Hash: 2892E470A40218DFDB259F64C944AEEBBB6FF49300F1085E9D5096B2A4DF399E81CF91
                                                                                                                    Function 04F9B688 Relevance: 4.0, Strings: 3, Instructions: 226COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq$\;]q$|\q
                                                                                                                    • API String ID: 0-3734622031
                                                                                                                    • Opcode ID: 79bedf9b66bb263504797ce7c6aa04033be345272088825e2da1bc120d5557d3
                                                                                                                    • Instruction ID: d4d529b840a622ff1d734bcfbcc9470f82c3c02f29bb35c4677105ad5508623b
                                                                                                                    • Opcode Fuzzy Hash: 79bedf9b66bb263504797ce7c6aa04033be345272088825e2da1bc120d5557d3
                                                                                                                    • Instruction Fuzzy Hash: 5461A575F441168BEB189A7AA95057FB7EBBFC4754B10802AD805D7394EE34EC0387A2
                                                                                                                    Function 04F9BAD8 Relevance: 3.9, Strings: 3, Instructions: 193COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq$(aq$(aq
                                                                                                                    • API String ID: 0-2593664646
                                                                                                                    • Opcode ID: 2fbe60628079ea78153a478f5eeb7cfea9a6a1c7b530eaaafb5b71c73d81b633
                                                                                                                    • Instruction ID: dc85a2ef00747fb87886513e35a207f8aaa02103cba6774157d8d19802aa6c9d
                                                                                                                    • Opcode Fuzzy Hash: 2fbe60628079ea78153a478f5eeb7cfea9a6a1c7b530eaaafb5b71c73d81b633
                                                                                                                    • Instruction Fuzzy Hash: 09518B31B401158FEB14DF79E454AAE7BE6FF8531071580AAE905CB3A1EF35ED0287A1
                                                                                                                    Function 04F985C0 Relevance: 2.9, Strings: 2, Instructions: 440COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq$d
                                                                                                                    • API String ID: 0-3557608343
                                                                                                                    • Opcode ID: e2b016a693ea4e6117d8ff7234ce36473060fec44d6dac3201fc441905418aaf
                                                                                                                    • Instruction ID: 5ca6e906dece2e352897e4ecd8838bfbc4484ee4dad5e27230c50fc74d343248
                                                                                                                    • Opcode Fuzzy Hash: e2b016a693ea4e6117d8ff7234ce36473060fec44d6dac3201fc441905418aaf
                                                                                                                    • Instruction Fuzzy Hash: 43029D34A006058FEB14DF19C48096AFBF2FF89354B15CA69D45A9B766D730FC46CB90
                                                                                                                    Function 04F91630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: $]q$$]q
                                                                                                                    • API String ID: 0-127220927
                                                                                                                    • Opcode ID: 722689862106a7dc245f583031e1cb650782ad54fd1dd13ed79c04da622a99d8
                                                                                                                    • Instruction ID: 15d9acef63641b925969ca906845bcddd93673b89a932b26ca73ebc4622cd223
                                                                                                                    • Opcode Fuzzy Hash: 722689862106a7dc245f583031e1cb650782ad54fd1dd13ed79c04da622a99d8
                                                                                                                    • Instruction Fuzzy Hash: 2751BE31B0020A9FEB159F78D9506AEBBF6AF89350B14803AD818D7364DA34AC06C7A1
                                                                                                                    Function 04F94EC0 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq$4']q
                                                                                                                    • API String ID: 0-4173138025
                                                                                                                    • Opcode ID: ffe9481af87c9cdc4bc6d794d68bf6a7c91f43ea25de0d9983df15a2b2ec5e53
                                                                                                                    • Instruction ID: cbaf0b1ee994adc57b554ed9eea202cb46b1fb9d42df6432514837a2b52cbfcc
                                                                                                                    • Opcode Fuzzy Hash: ffe9481af87c9cdc4bc6d794d68bf6a7c91f43ea25de0d9983df15a2b2ec5e53
                                                                                                                    • Instruction Fuzzy Hash: 7C41CE307042468FDB08DF69C89066F7BE6FFD4244B2085A9D4098B399DE34ED07C7A1
                                                                                                                    Function 04F9A228 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq$(aq
                                                                                                                    • API String ID: 0-3916115647
                                                                                                                    • Opcode ID: 8f3874d91c8edc45d1b52d63bf443a502a32295d32e8506a3807145d15790944
                                                                                                                    • Instruction ID: 5a6c5a597015037b91af98abb3d9cd57c45c359ebec61660a03734bece5f917f
                                                                                                                    • Opcode Fuzzy Hash: 8f3874d91c8edc45d1b52d63bf443a502a32295d32e8506a3807145d15790944
                                                                                                                    • Instruction Fuzzy Hash: B941B534F042459FEB15CF69C854B9E7BF5EF89310F148099D845AB392CA75AD03CBA1
                                                                                                                    Function 04F930EC Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq$LR]q
                                                                                                                    • API String ID: 0-67906209
                                                                                                                    • Opcode ID: d4da5b7b48b26c72c0301afde02da5f686fd0bb280ca05cb823ae17b5f03a399
                                                                                                                    • Instruction ID: 16f185a6f57242f3bd0e97fffa5ae0d382f58a3cf432968a4b9807d89415da29
                                                                                                                    • Opcode Fuzzy Hash: d4da5b7b48b26c72c0301afde02da5f686fd0bb280ca05cb823ae17b5f03a399
                                                                                                                    • Instruction Fuzzy Hash: 3641D171B082195FEB099F78A85477E7AEBEFC9614F048469EC06C7395DE38EC028791
                                                                                                                    Function 04F96C20 Relevance: 1.6, Strings: 1, Instructions: 386COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: 77df7d9ce14f539833a03459a7eeb3fcf87a189ab03e08a1741a46ac04891186
                                                                                                                    • Instruction ID: 869e6f0bf896fc1df03d2b97d5e2020395185f825ea091fe73f7328fd53fedf7
                                                                                                                    • Opcode Fuzzy Hash: 77df7d9ce14f539833a03459a7eeb3fcf87a189ab03e08a1741a46ac04891186
                                                                                                                    • Instruction Fuzzy Hash: 9ED1C170B102159FEB189FB9C49466A7BE6FF89300B148869E445DB3A5DF34EC43CB91
                                                                                                                    Function 04F9E1F0 Relevance: 1.6, Strings: 1, Instructions: 326COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (Abq
                                                                                                                    • API String ID: 0-1163130805
                                                                                                                    • Opcode ID: 20f9e905e90129247cb911597a6080fb78b5e2af91341a650a168c3f7b04b162
                                                                                                                    • Instruction ID: 033d397fddb8ae0b3c1aea33ef679df8d2029a8f0a94dc9ef24d305b930f15a0
                                                                                                                    • Opcode Fuzzy Hash: 20f9e905e90129247cb911597a6080fb78b5e2af91341a650a168c3f7b04b162
                                                                                                                    • Instruction Fuzzy Hash: D0C16E70B102198FEB14DFA9D954AAEBBF6AF88304F148029D406EB394DF74AC06CB51
                                                                                                                    Function 04F999B8 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: 069aeec957b4b9aeb0f6a56ef7261c2f51c0acf00eef4a63d06aba7e5581feb9
                                                                                                                    • Instruction ID: aab6162fba7a7e3725cbf2e94b47ce2a1537d1942d73837e888a4ac986678133
                                                                                                                    • Opcode Fuzzy Hash: 069aeec957b4b9aeb0f6a56ef7261c2f51c0acf00eef4a63d06aba7e5581feb9
                                                                                                                    • Instruction Fuzzy Hash: 82E12774A003598FDB15CFA8C884A9DBBF6FF89304F158199D808AB3A5DB74ED46CB50
                                                                                                                    Function 073D9FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 073D9FF8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104860310.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_73d0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DispatcherExceptionUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 6842923-0
                                                                                                                    • Opcode ID: b00a6304e19ebf321e7e29d7e59e05905eb57a395b7980f94bb7f7882c169ea0
                                                                                                                    • Instruction ID: 7a5640569af0e51a3b2224a587580d07d8e33b704de3eedaac470d82b046f8bf
                                                                                                                    • Opcode Fuzzy Hash: b00a6304e19ebf321e7e29d7e59e05905eb57a395b7980f94bb7f7882c169ea0
                                                                                                                    • Instruction Fuzzy Hash: 85110AB7A012099FFB20CA79F5407DDB7A6EB89338F14C125D519532D0DB369D09CB52
                                                                                                                    Function 073D9FD0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 073D9FF8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104860310.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_73d0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: DispatcherExceptionUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 6842923-0
                                                                                                                    • Opcode ID: e38bb3754ce7dd17b0ceeaf9e0a23bc693b2147ed986e55f2b03ad7ab1d59a80
                                                                                                                    • Instruction ID: bc32390b0b6dcfe07b570bdd0d8713de693060e5b3cd53e7869f91dd7307f8cb
                                                                                                                    • Opcode Fuzzy Hash: e38bb3754ce7dd17b0ceeaf9e0a23bc693b2147ed986e55f2b03ad7ab1d59a80
                                                                                                                    • Instruction Fuzzy Hash: 7F118CF79052459FFB21CA34E5403EDBBB6EB45328F18C124D409631D0DB359C49CB92
                                                                                                                    Function 04F91080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: 55cefc6720363b67e46d5bc1e79f9283813d4f6ad58d13ed10d1bdc337d181b9
                                                                                                                    • Instruction ID: ec2804bbd0cb732253f25f15ef67485f4b7d0d21b52ffde0f1626b37f69289fc
                                                                                                                    • Opcode Fuzzy Hash: 55cefc6720363b67e46d5bc1e79f9283813d4f6ad58d13ed10d1bdc337d181b9
                                                                                                                    • Instruction Fuzzy Hash: 34718235B002199FFF15ABB5C954A6EB6EBEFC8310F148029D9069B3A4DE74EC438791
                                                                                                                    Function 04F96048 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: f73f6f2ff90da508e401793598d0a10ebd63e66c5bcc23e06b1663ec58953e25
                                                                                                                    • Instruction ID: 5cab4b71627c5ede01abffdec9be6ad44886bd7eb5842b3485b7b7c9da08e3a2
                                                                                                                    • Opcode Fuzzy Hash: f73f6f2ff90da508e401793598d0a10ebd63e66c5bcc23e06b1663ec58953e25
                                                                                                                    • Instruction Fuzzy Hash: 157170B4A00218AFEB05DBE4D4507DEBFB6EF88310F108029D60A677A5DE396D05CBA5
                                                                                                                    Function 04F968E0 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: 52e6b40b8604a1241605fc574489ec99a7e3a64dfbb67e22b4f710d43f289652
                                                                                                                    • Instruction ID: ac44c9c6409fb8e8ff2f34fc830ff2ffbc3d178e59870d2d3d9d3a3f1acdebef
                                                                                                                    • Opcode Fuzzy Hash: 52e6b40b8604a1241605fc574489ec99a7e3a64dfbb67e22b4f710d43f289652
                                                                                                                    • Instruction Fuzzy Hash: 81614E7AB002059FDB15CF69C48099ABBF6FF89350B1580AAE509DB321D731ED16DB90
                                                                                                                    Function 04F90C1C Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: 8504efa96da94f9cefeb4f9b282f8ad17a079261c2e59eb57bf81b30c0959102
                                                                                                                    • Instruction ID: bbdfa3dc1bf1cace333fc7715fcbbd057afa3ccfe05ddb91ccc3ae1bf9836768
                                                                                                                    • Opcode Fuzzy Hash: 8504efa96da94f9cefeb4f9b282f8ad17a079261c2e59eb57bf81b30c0959102
                                                                                                                    • Instruction Fuzzy Hash: 0F51B431B0420A9FFB049B68D8657AE7BF6EF89310F14802AD506E7385CE79AC07C791
                                                                                                                    Function 04F9C4D8 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: 30b563e36c5a5234bc2dd1de1da4654f7a572b940cb9a3642faab95442d04931
                                                                                                                    • Instruction ID: fad1b1f879ecbd5001a08eea30d9a66194ae082afa2455776fabbf631180bbf2
                                                                                                                    • Opcode Fuzzy Hash: 30b563e36c5a5234bc2dd1de1da4654f7a572b940cb9a3642faab95442d04931
                                                                                                                    • Instruction Fuzzy Hash: 2951D2317047818FE725DF38D454A6ABBE6EFC5300B08C6A9D44A8B666DE34FC06CB90
                                                                                                                    Function 04F9E428 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (Abq
                                                                                                                    • API String ID: 0-1163130805
                                                                                                                    • Opcode ID: 5c137a6219dbf5d9e78aad164bf014719dc51324b0b1985125c730f1e5aaa2fd
                                                                                                                    • Instruction ID: 0966d7206892d73f1b1ab6652a77c5a8d75ae4ebc3f5d401f6cdc81567be3e91
                                                                                                                    • Opcode Fuzzy Hash: 5c137a6219dbf5d9e78aad164bf014719dc51324b0b1985125c730f1e5aaa2fd
                                                                                                                    • Instruction Fuzzy Hash: 45417D30B102159FEB18DF79D854AAEBBF6FF88214B108529D415EB390EF74AC02CB91
                                                                                                                    Function 04F9EA88 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: 50c482c85fa2e28f45c8fcf08c01139c68727cd00959bd345f5b4f3b6ef43026
                                                                                                                    • Instruction ID: 6d7cb46471ddd8a8bde6cf421c538838581d0a946a75871f842b0863e6958563
                                                                                                                    • Opcode Fuzzy Hash: 50c482c85fa2e28f45c8fcf08c01139c68727cd00959bd345f5b4f3b6ef43026
                                                                                                                    • Instruction Fuzzy Hash: E531E031B002158FEB18DE3DD4559AEBBE6EFC86507104039E906CB3A1EF75EC068BA1
                                                                                                                    Function 04F985B0 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: c8b8146d080436f48bd0cece936bc5b7203912285fcaa9ff9201667fb53d2267
                                                                                                                    • Instruction ID: 692d5380b713771b9fbf8960d54f4005e1a573698cd6b273265111932e3a3edc
                                                                                                                    • Opcode Fuzzy Hash: c8b8146d080436f48bd0cece936bc5b7203912285fcaa9ff9201667fb53d2267
                                                                                                                    • Instruction Fuzzy Hash: D1416934A006058FEB14DF69C480A6ABBF2FF8A354B15C969D45A9B761CB30FC42CB90
                                                                                                                    Function 04F94EB0 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 4']q
                                                                                                                    • API String ID: 0-1259897404
                                                                                                                    • Opcode ID: c3735df80d6b760ab41484ae1298becb2c9c7e7ecfa9664dd86560471a15f13a
                                                                                                                    • Instruction ID: a53ae4591c2972d5660525e0f48cc46c06817eb78abe259396e7af00a14ab728
                                                                                                                    • Opcode Fuzzy Hash: c3735df80d6b760ab41484ae1298becb2c9c7e7ecfa9664dd86560471a15f13a
                                                                                                                    • Instruction Fuzzy Hash: 0731B271B0420A9FDB15DF68D980A9B7BE6FF85208B148569E8048F265DB30FD07CBA1
                                                                                                                    Function 04F945C8 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: b7a9c34f156dbf1127c25c53020269e44efea2ade3051273061c04c33d6df938
                                                                                                                    • Instruction ID: 4ad30b46ace0b10bb8560b45b240f123bd51f4ef0e6fe6cbe26a4e8ca551751d
                                                                                                                    • Opcode Fuzzy Hash: b7a9c34f156dbf1127c25c53020269e44efea2ade3051273061c04c33d6df938
                                                                                                                    • Instruction Fuzzy Hash: B92128757042445FDB14DF6DE4049AABBEAEFD931071440AAE509CB361DE21EC03CBA1
                                                                                                                    Function 04F93719 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: LR]q
                                                                                                                    • API String ID: 0-3081347316
                                                                                                                    • Opcode ID: 5c840a15f5a16a939d289ec1c5350b3bc914391424e18f08e0ba0df050097dbb
                                                                                                                    • Instruction ID: 6f36aed34b591eecbe42d0b959a95994dfc275f02e88a0009aa10f2cc8221ade
                                                                                                                    • Opcode Fuzzy Hash: 5c840a15f5a16a939d289ec1c5350b3bc914391424e18f08e0ba0df050097dbb
                                                                                                                    • Instruction Fuzzy Hash: 0A21B272B042165FEF08CF78984577F7BEAEFC9618F148429E806C7295EB34AD028752
                                                                                                                    Function 04F9AAA7 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: m
                                                                                                                    • API String ID: 0-3775001192
                                                                                                                    • Opcode ID: 57b44d7e7de953fb052eb0e2261a396618cdbad07eb802ee7fe005bffa81ebd8
                                                                                                                    • Instruction ID: 9be77ead9cda4e676645052056b57b50d4e82ba0c41edb69b5e67e4972d7eb16
                                                                                                                    • Opcode Fuzzy Hash: 57b44d7e7de953fb052eb0e2261a396618cdbad07eb802ee7fe005bffa81ebd8
                                                                                                                    • Instruction Fuzzy Hash: 35317E74E053499FDB05DFA8D490AAEBFF1EF49300F10409AC445AB365DB30AE45CB92
                                                                                                                    Function 04F9AF10 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: \;]q
                                                                                                                    • API String ID: 0-2696284100
                                                                                                                    • Opcode ID: 73a96f02af1fdc11383b84df092ca2a55cec9eb114bc858834df3fd4060cb6a6
                                                                                                                    • Instruction ID: 31238d6ddc0d7ac1f63a68466be17c9d1706bc0ace9e363adafa24954e9f3232
                                                                                                                    • Opcode Fuzzy Hash: 73a96f02af1fdc11383b84df092ca2a55cec9eb114bc858834df3fd4060cb6a6
                                                                                                                    • Instruction Fuzzy Hash: 9E118A75B441014FAB189EAEA48496BF7DEEFC8368714807BF50EC7755EE65EC024350
                                                                                                                    Function 04F95F48 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: LR]q
                                                                                                                    • API String ID: 0-3081347316
                                                                                                                    • Opcode ID: 88a135f27005893c89ad6dbe6aae4bdb0ac77b9f95383a165a2174032e1fb4e2
                                                                                                                    • Instruction ID: ebf79a0e6adec41ed80dc0e05121925978c2117d85ab3b348d8e8a5eb1369def
                                                                                                                    • Opcode Fuzzy Hash: 88a135f27005893c89ad6dbe6aae4bdb0ac77b9f95383a165a2174032e1fb4e2
                                                                                                                    • Instruction Fuzzy Hash: 84218435B10108DFEB189F69C455AAEBBF6EF8C714F108019E906E73A0DE75AC01CB90
                                                                                                                    Function 04F95F46 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: LR]q
                                                                                                                    • API String ID: 0-3081347316
                                                                                                                    • Opcode ID: 68eb669ac5de21d2b5d68b7b7f079773f374aac83bff374aaab02414c8299aee
                                                                                                                    • Instruction ID: e7f0061a3943407bfec940dff3a60ac489e3548e3351f3186e5f8f00a3f14211
                                                                                                                    • Opcode Fuzzy Hash: 68eb669ac5de21d2b5d68b7b7f079773f374aac83bff374aaab02414c8299aee
                                                                                                                    • Instruction Fuzzy Hash: F8219335B10108EFEB189F69D455AAE7BF6EF8C714F108019E906E73A0DE75AC02CB90
                                                                                                                    Function 04F93370 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: fbq
                                                                                                                    • API String ID: 0-3185938239
                                                                                                                    • Opcode ID: f510c31e070ced16a22728d97cf8e1eabfeeb2e31ef1598e5233b6a14d8ba644
                                                                                                                    • Instruction ID: d6b8fff376d7d8845c9f0d6d75059e9b899d173ba89b797a9c3e855fa52c97f4
                                                                                                                    • Opcode Fuzzy Hash: f510c31e070ced16a22728d97cf8e1eabfeeb2e31ef1598e5233b6a14d8ba644
                                                                                                                    • Instruction Fuzzy Hash: C5116075B012199FDB589FB4A4455AFBFAAFBC8710B108029F906C7240DF399D12DBE1
                                                                                                                    Function 04F93380 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: fbq
                                                                                                                    • API String ID: 0-3185938239
                                                                                                                    • Opcode ID: 2ad3deac8c566ea5585084279914bd3f7162f47174ad92f7804fd956e98b8791
                                                                                                                    • Instruction ID: 0280f3d21c4896e1e14e83e69f6952e43b780c66595385ce411d045eb02ecf12
                                                                                                                    • Opcode Fuzzy Hash: 2ad3deac8c566ea5585084279914bd3f7162f47174ad92f7804fd956e98b8791
                                                                                                                    • Instruction Fuzzy Hash: 31117035B012185BDB449FB9A84597FBAAAEBC8610F008029ED09D7340DE399D029BE1
                                                                                                                    Function 04F957B8 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: 02b15dab965fa36f31924e72bc13a309166bfd65b9dae7cc1a4a222b9a4c8d9e
                                                                                                                    • Instruction ID: 09ac8f23d55647232163a353ddd6e574c4ca3c15a0b86efeeb2b295bba3db19b
                                                                                                                    • Opcode Fuzzy Hash: 02b15dab965fa36f31924e72bc13a309166bfd65b9dae7cc1a4a222b9a4c8d9e
                                                                                                                    • Instruction Fuzzy Hash: BC01D4313083445FE70ADB3DD8506AE3BD6DFC621071884A9D449CB3A6DE25EC07C752
                                                                                                                    Function 04F999A8 Relevance: .3, Instructions: 300COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a648a0c37031110b80bcd3250d3fc6d8faebe86b9137638bf9157af179ef8d9e
                                                                                                                    • Instruction ID: 295252e417939758c61ff6357ebac050c8962b080df1d07c6400154ee548d90e
                                                                                                                    • Opcode Fuzzy Hash: a648a0c37031110b80bcd3250d3fc6d8faebe86b9137638bf9157af179ef8d9e
                                                                                                                    • Instruction Fuzzy Hash: 43D11674A003598FDB15CFA8C884A9DBBF2FF89304F158199D848AB3A5DB74ED46CB50
                                                                                                                    Function 04F9BE40 Relevance: .3, Instructions: 273COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a2b0131953e57f615c855b396f075855fbef73f8d5a8d30818186fa3d0a36072
                                                                                                                    • Instruction ID: af7f57029f29c499ac065fc9325a41b99665be53127f14d104b8a89d5be3582c
                                                                                                                    • Opcode Fuzzy Hash: a2b0131953e57f615c855b396f075855fbef73f8d5a8d30818186fa3d0a36072
                                                                                                                    • Instruction Fuzzy Hash: 9DB17D74B006058FEB19DF38D58496EBBF6FF88304B048669E94A8B365DB34EC46CB51
                                                                                                                    Function 04F9BE33 Relevance: .2, Instructions: 194COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6b4cd3b9327cbec4478040a0fb788b6f8c11edad0dd9f56ad82fd41bb1e042d1
                                                                                                                    • Instruction ID: f1153fcaa6b4c37f38c796e50e8649223beb359ff6c037c5e33121030189f6e0
                                                                                                                    • Opcode Fuzzy Hash: 6b4cd3b9327cbec4478040a0fb788b6f8c11edad0dd9f56ad82fd41bb1e042d1
                                                                                                                    • Instruction Fuzzy Hash: 35717B74B002058FEB15DF38D5849AABBF6FF89304B04C669D94A8B365DB34EC46CB91
                                                                                                                    Function 04F9ABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f9f998e7a1df3ece83af2769acf7031026e306130a000b54ef0612b103cd598a
                                                                                                                    • Instruction ID: 5ce15d096a65ab750f21b215b1ea59954d693eb1a36718e2fe60ce46f7d1815e
                                                                                                                    • Opcode Fuzzy Hash: f9f998e7a1df3ece83af2769acf7031026e306130a000b54ef0612b103cd598a
                                                                                                                    • Instruction Fuzzy Hash: BB514874B401418FEB189F2AC49892A77E6BFC971172980A9E106CF375EF74EC02CB50
                                                                                                                    Function 04F9E7D8 Relevance: .2, Instructions: 181COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5476083fe9b8b286ce01e3360d94eb64b0a17b190c91ac487fcb883983b46f24
                                                                                                                    • Instruction ID: a65fa817e3f0c1da568cffcf0af0eb8de92e4e63a4e540b20bcf026d2d8f1f0d
                                                                                                                    • Opcode Fuzzy Hash: 5476083fe9b8b286ce01e3360d94eb64b0a17b190c91ac487fcb883983b46f24
                                                                                                                    • Instruction Fuzzy Hash: 44615131B002099FEB58DF69E55476E77F6EF88744B108429D446EB390DF78AC06CBA1
                                                                                                                    Function 04F9BE30 Relevance: .2, Instructions: 174COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bcdd3d4ccd57e4a3fb1f4ee06d5439446a7c5fd78de1b7c9e0e3eaf19fce5a75
                                                                                                                    • Instruction ID: 50b1fcaf905c3e93f4bdc96f82add2f225954520d01554de3a62aeae412a3a5e
                                                                                                                    • Opcode Fuzzy Hash: bcdd3d4ccd57e4a3fb1f4ee06d5439446a7c5fd78de1b7c9e0e3eaf19fce5a75
                                                                                                                    • Instruction Fuzzy Hash: 36716A74B006058FEB15DF38D59496ABBF6FF88304B04C669D94A8B365DB34EC46CB90
                                                                                                                    Function 04F96C10 Relevance: .2, Instructions: 155COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9b29d4ba45602597305adc459e4c8bf8abb0c0a8274c620b5dd8fecdeb2fe642
                                                                                                                    • Instruction ID: cafa688cd2d90da9c41a02c2b30de8adc427a5a6958ea39fd5ad61fc85bf7912
                                                                                                                    • Opcode Fuzzy Hash: 9b29d4ba45602597305adc459e4c8bf8abb0c0a8274c620b5dd8fecdeb2fe642
                                                                                                                    • Instruction Fuzzy Hash: 19517B70B402068FEB04DF69D940AAEBBF6FF88310B148569E815DB3A5DB34ED05CB91
                                                                                                                    Function 04F960D9 Relevance: .1, Instructions: 148COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7beb1f856cdc859c1caad69304b70c9689f87f56198251d15da7cd01f77a2847
                                                                                                                    • Instruction ID: a566374758bf4c2af0d335227378699c24bd99383e706e0f1baad3f253600f55
                                                                                                                    • Opcode Fuzzy Hash: 7beb1f856cdc859c1caad69304b70c9689f87f56198251d15da7cd01f77a2847
                                                                                                                    • Instruction Fuzzy Hash: AE511BB4E00208AFEB05DBE4D9607DEBFB6EF88310F104029D619677A5DE396D05CBA5
                                                                                                                    Function 04F95483 Relevance: .1, Instructions: 146COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 14e116f0d06bd209d70e6d281fd61081aab959d03d8d7ed6103fb5705eaa8778
                                                                                                                    • Instruction ID: 20a40738bfe0d80fb2d3603f4b01e54f078785bee5aa784d4e1d04fc9c94450e
                                                                                                                    • Opcode Fuzzy Hash: 14e116f0d06bd209d70e6d281fd61081aab959d03d8d7ed6103fb5705eaa8778
                                                                                                                    • Instruction Fuzzy Hash: 355164B4A0120DEFEB08EFE4E8546AEBB76FF88300F008419D915677A5CE392D15CB61
                                                                                                                    Function 04F934A8 Relevance: .1, Instructions: 141COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 345adade024f08b9361f1064157849af1df0df07b19fba49f3d9c9aed1967679
                                                                                                                    • Instruction ID: 3452d7731757698a837fe0ebb1e2ba8c6ed77298300d53067d58a2709b4974d5
                                                                                                                    • Opcode Fuzzy Hash: 345adade024f08b9361f1064157849af1df0df07b19fba49f3d9c9aed1967679
                                                                                                                    • Instruction Fuzzy Hash: D951813475120A5FCB05EB78E95096EBBABEFC4214710C629D809DB254EF78ED0AC7E1
                                                                                                                    Function 04F934B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f95daaf75b5061be5957ceddf3eb1fbdcb97d1c29f9e5c2d3d7e62dc4fd37fde
                                                                                                                    • Instruction ID: a036f0659a8caf7e808b77bafeaf132930d1b8b90087d4a2f87c03e32173b104
                                                                                                                    • Opcode Fuzzy Hash: f95daaf75b5061be5957ceddf3eb1fbdcb97d1c29f9e5c2d3d7e62dc4fd37fde
                                                                                                                    • Instruction Fuzzy Hash: 4E51717475120A5BCB05EF78E95092EBBABEFC4214710C629D8099B394DF78ED0AC7E1
                                                                                                                    Function 04F95490 Relevance: .1, Instructions: 136COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 71fb9f2ee610c1073e0080f20d76d42ec45cdfd0c0230d46748eccc3b3d1875e
                                                                                                                    • Instruction ID: b99fa52fa41c6d3e68c244e72400650152567a0aa707dc271932163f84fd733e
                                                                                                                    • Opcode Fuzzy Hash: 71fb9f2ee610c1073e0080f20d76d42ec45cdfd0c0230d46748eccc3b3d1875e
                                                                                                                    • Instruction Fuzzy Hash: EC5141B4A0120DEFEB08EFE4E9546AEBB76FF88300F108418D915677A5CE392D15CB65
                                                                                                                    Function 04F9E7C7 Relevance: .1, Instructions: 123COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9eee89fad9368dfaabda8ac8ca6a352b648148e09bfb1fdf01b5ec96c3517cdf
                                                                                                                    • Instruction ID: f68b913c7eaac41df5e07df837b9ad9b787c8e47db1b01f099c4c6b75d0b1a2d
                                                                                                                    • Opcode Fuzzy Hash: 9eee89fad9368dfaabda8ac8ca6a352b648148e09bfb1fdf01b5ec96c3517cdf
                                                                                                                    • Instruction Fuzzy Hash: 2F41A331B002088FDB14DF79D4547AEBBF6EF89654B208429D416E7390DF75AC06CBA1
                                                                                                                    Function 04F9E1E0 Relevance: .1, Instructions: 112COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4708ebdcba135ea64e3c075ffbac5458cb89e3f604bb118593988a047b3510d0
                                                                                                                    • Instruction ID: a55ebf8c80177a0b81f2c8ee104526e8ec347222344bd2f74b36f2cca43b6fea
                                                                                                                    • Opcode Fuzzy Hash: 4708ebdcba135ea64e3c075ffbac5458cb89e3f604bb118593988a047b3510d0
                                                                                                                    • Instruction Fuzzy Hash: 89415835E002498FDB14CFA9D58099EBBF2FF89300F248129E805AB3A4DB30ED46CB50
                                                                                                                    Function 04F9C9A8 Relevance: .1, Instructions: 112COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: aedb00ba3396d2b6a4d1c680effb8c64d7d033e659f8da7251f9a656e31a4b00
                                                                                                                    • Instruction ID: 27268c60f4fffc87c54c7f1c59f9caef45477178f7f030f6c65840de8f8566eb
                                                                                                                    • Opcode Fuzzy Hash: aedb00ba3396d2b6a4d1c680effb8c64d7d033e659f8da7251f9a656e31a4b00
                                                                                                                    • Instruction Fuzzy Hash: CF31A15285E3E11FEB13AB3899B14D63FB4AD5322470A01D7C0D1CE1B7E54C999DC3AA
                                                                                                                    Function 04F9F69B Relevance: .1, Instructions: 107COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4a5324bfb3cd32a6a700ed572a613009f4cd289b913188bc67cf5e26aee48034
                                                                                                                    • Instruction ID: 784041bb02944a9d87c8eda8e9229fb6ff9e4a63fa086b153368557f20e9aeb6
                                                                                                                    • Opcode Fuzzy Hash: 4a5324bfb3cd32a6a700ed572a613009f4cd289b913188bc67cf5e26aee48034
                                                                                                                    • Instruction Fuzzy Hash: 5E41B130B042558FDB25DF38D88896EBBFAEF89304B044469E446C7266DB74ED09CBA1
                                                                                                                    Function 04F92268 Relevance: .1, Instructions: 106COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7a67a6cfb28aaf8f59f7599233a82c80811ca4b4118409deb00708c9ef242b94
                                                                                                                    • Instruction ID: c20e1c9576f8dedf69ce66b204487a70163634ea453537c2a9db9435c9bd892e
                                                                                                                    • Opcode Fuzzy Hash: 7a67a6cfb28aaf8f59f7599233a82c80811ca4b4118409deb00708c9ef242b94
                                                                                                                    • Instruction Fuzzy Hash: 6B410835B002189FDB54DF68D88099EBBF6FF88714B108169E905EB360DB31EC42CB91
                                                                                                                    Function 04F9F6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 31f6e9ee166fdac1777b6ec6b779d6dd891cc12978904bed25512a3ebb1b270c
                                                                                                                    • Instruction ID: 49cbf505afc449dc37543b06de50b531f79b5204bfe11be36537d33a675eb8fb
                                                                                                                    • Opcode Fuzzy Hash: 31f6e9ee166fdac1777b6ec6b779d6dd891cc12978904bed25512a3ebb1b270c
                                                                                                                    • Instruction Fuzzy Hash: 3541A3307002558FDB25DF28D488A6EBBFAEF89304F044469E546C7366DB75ED05CB61
                                                                                                                    Function 04F9B080 Relevance: .1, Instructions: 103COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 04d4d2376597d55d28d093fcd8c70e3da628766df910d6744bd77fc0b3119cb2
                                                                                                                    • Instruction ID: d9e4ba489f4848d00499044f486a51edf9877ec9cc3f8abaedea70f8acdbade2
                                                                                                                    • Opcode Fuzzy Hash: 04d4d2376597d55d28d093fcd8c70e3da628766df910d6744bd77fc0b3119cb2
                                                                                                                    • Instruction Fuzzy Hash: EA31AD35B000069FEB14CE69E884AAAF7EAFF84314B04C16AD51DC7765DB31FC428B91
                                                                                                                    Function 04F9310C Relevance: .1, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 30807f3f581d900b3c4e3461d9bbce0b7ba0ee0247315745be11d07a2799c7c6
                                                                                                                    • Instruction ID: 508d5cecc894ac90986041912112893a72b50890c22db9d579558088ec38c373
                                                                                                                    • Opcode Fuzzy Hash: 30807f3f581d900b3c4e3461d9bbce0b7ba0ee0247315745be11d07a2799c7c6
                                                                                                                    • Instruction Fuzzy Hash: 5B214C32A4631A6FFF022A7468113FA7FDADF46325F108067ED48CA161CA289C47C391
                                                                                                                    Function 04F91062 Relevance: .1, Instructions: 91COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 925bfd397f16a0bd92c4f213c6119e2e5b45abe2e5e6ada74b239958cf325849
                                                                                                                    • Instruction ID: d9ae784332066984b820fd71b5894c3ba0404f45cbabf146c959bc4b1f386e52
                                                                                                                    • Opcode Fuzzy Hash: 925bfd397f16a0bd92c4f213c6119e2e5b45abe2e5e6ada74b239958cf325849
                                                                                                                    • Instruction Fuzzy Hash: 08213D72F00264ABFF108A7999616FA77EEEFC8251F048037D906D7256E924ED078391
                                                                                                                    Function 04F9C558 Relevance: .1, Instructions: 88COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 51c69af1d649c062833b80ae7582cd293be263f8f087c82d23327dd08dfd7234
                                                                                                                    • Instruction ID: 0d66ceceebdd09a2fae3bbd707399566e8df8e2e3b444267f6d846f788e544ad
                                                                                                                    • Opcode Fuzzy Hash: 51c69af1d649c062833b80ae7582cd293be263f8f087c82d23327dd08dfd7234
                                                                                                                    • Instruction Fuzzy Hash: 76319E352006858FD725DF34D599926FBF6EF89314B048A68D48A8B766CB34FC46CB90
                                                                                                                    Function 04F928F8 Relevance: .1, Instructions: 82COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1ffa8c0f5c8ce2df49a207faadc19fbcb004e2ed0353d628cc916e11e94fee21
                                                                                                                    • Instruction ID: 587804b09fff1725a4820997075ef0c1c615272107bab32424150cc51d6fdae4
                                                                                                                    • Opcode Fuzzy Hash: 1ffa8c0f5c8ce2df49a207faadc19fbcb004e2ed0353d628cc916e11e94fee21
                                                                                                                    • Instruction Fuzzy Hash: A221806194E3E06FD7039B38A9716C93FB4AE43214B1A41D3D080CF1A7D9198D4AC3E6
                                                                                                                    Function 04D0D6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.2105481853.0000000004D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D0D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_2_4d0d000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ec10b8be613f4ed77d6750f9545ace4fa6c6a4e51857753f984917ab61baf086
                                                                                                                    • Instruction ID: c0fea2fd015677ae7b954be2e732e052874aeb34408ba17552a7bef1ad5c5f48
                                                                                                                    • Opcode Fuzzy Hash: ec10b8be613f4ed77d6750f9545ace4fa6c6a4e51857753f984917ab61baf086
                                                                                                                    • Instruction Fuzzy Hash: 27213775604244DFCB05DF54D9C0F26BF66FBC8324F20C56AE90A0B296C33AE456DBA2
                                                                                                                    Function 04F9B598 Relevance: .1, Instructions: 75COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3ccd00483413fe1a342a4dac3e4f5c01ecc19700fe1545c5374e95b6a8b21e93
                                                                                                                    • Instruction ID: 598e15930c7136ad785e7c8d216860131a2f51549293a63b800ba6c31945727c
                                                                                                                    • Opcode Fuzzy Hash: 3ccd00483413fe1a342a4dac3e4f5c01ecc19700fe1545c5374e95b6a8b21e93
                                                                                                                    • Instruction Fuzzy Hash: B021B034F01208CFEB14AF75E94566A77EAFB84711F1080B5E8058B251EF75BC46CBA0
                                                                                                                    Function 04F9B930 Relevance: .1, Instructions: 72COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1de7b5ebb39725cd32fe3b971fd8e8b721f95fe856832fc02a8ff9109fdd3ef2
                                                                                                                    • Instruction ID: c8702403ba2126c610094a6554702c2237ebb0ed6dbf341cc1fc93e3478e7407
                                                                                                                    • Opcode Fuzzy Hash: 1de7b5ebb39725cd32fe3b971fd8e8b721f95fe856832fc02a8ff9109fdd3ef2
                                                                                                                    • Instruction Fuzzy Hash: 241184757642014FAB18CA1DD880A2BB7D6EFC9260314843E994AC7759EE71FC028391
                                                                                                                    Function 04F94553 Relevance: .1, Instructions: 70COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1ec8b638167ab311b413c08e7dc19dc36208439cf18eebe949b922a766f1362b
                                                                                                                    • Instruction ID: cd751d78f4323ec3de7cc2a844bbb3ac5f6630148af203b8bffa811618058910
                                                                                                                    • Opcode Fuzzy Hash: 1ec8b638167ab311b413c08e7dc19dc36208439cf18eebe949b922a766f1362b
                                                                                                                    • Instruction Fuzzy Hash: 581104713042025FE7299B7CE95096A7FEAEFC5254304857AE04DCB665DF24EC06C791
                                                                                                                    Function 04F930FC Relevance: .1, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bd9eb2104aa45b60793c7f283d52423de0bd8570957d6206842d4893d8d44f4e
                                                                                                                    • Instruction ID: 0c4fd13cb8a2b9c1ed16c35a96582adeb5bb7e45d1c9d6b7884d5e197d5246de
                                                                                                                    • Opcode Fuzzy Hash: bd9eb2104aa45b60793c7f283d52423de0bd8570957d6206842d4893d8d44f4e
                                                                                                                    • Instruction Fuzzy Hash: 20110230B193591BFF142678282437E3FDA8B86718F0044BADD81DB696DD98EC478792
                                                                                                                    Function 04F92258 Relevance: .1, Instructions: 65COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b3e16c412d7308fe70e9759ebf83112eeb7e39f1ed872fb79031ff1c2fc7e7f3
                                                                                                                    • Instruction ID: a83a8fa6f8c52b1e6e13f1bec505126e4c0b4ded6537a89c01a88fd455668662
                                                                                                                    • Opcode Fuzzy Hash: b3e16c412d7308fe70e9759ebf83112eeb7e39f1ed872fb79031ff1c2fc7e7f3
                                                                                                                    • Instruction Fuzzy Hash: 3F210675A112189FDB54DF78D8819DEBBF2FF8C714B10816AE805EB320DB319842CBA1
                                                                                                                    Function 04F9A219 Relevance: .1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 50a97b43854fe7796a71f8fe01b44938d58441824ecca48bf9411fa73515b970
                                                                                                                    • Instruction ID: 8982fe31cb5a0e1bb3ace4552951b2692876a158301517181f52258be2e9bece
                                                                                                                    • Opcode Fuzzy Hash: 50a97b43854fe7796a71f8fe01b44938d58441824ecca48bf9411fa73515b970
                                                                                                                    • Instruction Fuzzy Hash: 5F213635E002099BEB18CFA5C585B9EBBF5EF88710F218025E805AB250DB71AD46CFA0
                                                                                                                    Function 04F9576F Relevance: .1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0653cae3cbdfec2f250fdfa37b6be37f6fa1e3505bbfc84114de3bda0db1f240
                                                                                                                    • Instruction ID: da604b479f9bf9538923e593058aa5a13e0208cf66c390cb3ff1698c2680c79f
                                                                                                                    • Opcode Fuzzy Hash: 0653cae3cbdfec2f250fdfa37b6be37f6fa1e3505bbfc84114de3bda0db1f240
                                                                                                                    • Instruction Fuzzy Hash: 5B113A366093409FE716DB38E850D863FE9DF8622030880BBD045CF562DA24EC0AC7A6
                                                                                                                    Function 04F93A35 Relevance: .1, Instructions: 61COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e80ba9c3bc60530d9e2b8bfb2d8d91afa2e6f18e5a53af8268da323be1ae9752
                                                                                                                    • Instruction ID: a5c09de33596b82a8f91aec59878687785ffe7fa39b9c3efc56fc8e3432945d4
                                                                                                                    • Opcode Fuzzy Hash: e80ba9c3bc60530d9e2b8bfb2d8d91afa2e6f18e5a53af8268da323be1ae9752
                                                                                                                    • Instruction Fuzzy Hash: 94116035A0020AAFEB04DFA4D860A9E7BF7EF8C314F148025D409A7394DF79AC46CB90
                                                                                                                    Function 04F91958 Relevance: .1, Instructions: 60COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0759c64fff23a7c57d730736576e2a8bab93887536e3f4bb9c7273eac17314a1
                                                                                                                    • Instruction ID: eaa18c7b5729d85bc188984c5f15f842f2db59cc5a795c13da864a880f5773b3
                                                                                                                    • Opcode Fuzzy Hash: 0759c64fff23a7c57d730736576e2a8bab93887536e3f4bb9c7273eac17314a1
                                                                                                                    • Instruction Fuzzy Hash: FB115431600219AFD704DFA4E8659AA7BFAEF8C320F115029D509D7354DF795C47CB90
                                                                                                                    Function 04F93A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d23a5a3c70cfdd5a489332ba76fbe8e025f9da2bd854ea84eefb61d653bdf4cd
                                                                                                                    • Instruction ID: 27d74fffcc2bc4be470310b42786cdf619400701a92094ed6fdcf502c2231074
                                                                                                                    • Opcode Fuzzy Hash: d23a5a3c70cfdd5a489332ba76fbe8e025f9da2bd854ea84eefb61d653bdf4cd
                                                                                                                    • Instruction Fuzzy Hash: FD110035A0020AAFEB04DFA5D950A9E7BF7EF8C314F148025D505A7394DF79AC46CB91
                                                                                                                    Function 04F91378 Relevance: .1, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ce2e954b255ec64be6542d71b7641283b35b71af2df66b5a8497c2d679729cad
                                                                                                                    • Instruction ID: f90a6ac92dea3b110031429da2c90540850ebed4bed23e826e6c11d6941e5c20
                                                                                                                    • Opcode Fuzzy Hash: ce2e954b255ec64be6542d71b7641283b35b71af2df66b5a8497c2d679729cad
                                                                                                                    • Instruction Fuzzy Hash: FA2108B5D002098FDB10DFAAC984AEEFBF4FF49314F108529D55967240C775A946CFA1
                                                                                                                    Function 04D0D69F Relevance: .1, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.2105481853.0000000004D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D0D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_2_4d0d000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a996b1983543c5beebe690202e7c9c6d8fa4abb51b24ded49f3361ae76a63bf0
                                                                                                                    • Instruction ID: 6542456fedae53f232448a4e59a3ffcdf0d2a830315e360c7bc65d06038ad17b
                                                                                                                    • Opcode Fuzzy Hash: a996b1983543c5beebe690202e7c9c6d8fa4abb51b24ded49f3361ae76a63bf0
                                                                                                                    • Instruction Fuzzy Hash: A511E276504280CFCB16CF50D9C4B16BF72FBC4324F24C6AAD9494B656C33AE45ACBA2
                                                                                                                    Function 04F9AAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 95bf7fac360d541ec94a11f7cd4cd499f160fe225fa0c63305d7a5f954a823d7
                                                                                                                    • Instruction ID: 25bd3bd9a35f53433688913b5c0903352e2a053523d7e0165a47f6289f95e7ef
                                                                                                                    • Opcode Fuzzy Hash: 95bf7fac360d541ec94a11f7cd4cd499f160fe225fa0c63305d7a5f954a823d7
                                                                                                                    • Instruction Fuzzy Hash: CB21BA74E01209DFDF04EFA8D591AAEBBF2EF88310F508499D505A7364DB30AE41CB91
                                                                                                                    Function 04F91380 Relevance: .1, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bebf9bc91658f21b162f6dbffa981e60aefe869ce81f8c6cb18be1bf02ed5406
                                                                                                                    • Instruction ID: 3e4573c4093cb2fba8b60802acb835f2a0dfaa778ba44d12bed63bb87b73449b
                                                                                                                    • Opcode Fuzzy Hash: bebf9bc91658f21b162f6dbffa981e60aefe869ce81f8c6cb18be1bf02ed5406
                                                                                                                    • Instruction Fuzzy Hash: 141117B4D002098FDB10DFAAC584AEEFBF4FF48314F108429D55967240CB78A945CFA1
                                                                                                                    Function 04F91440 Relevance: .1, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 283ccbe9405805fe2f040c0be818a2541f1fce33d2b223d290b3956a9ddc0321
                                                                                                                    • Instruction ID: 38d50deb5cdb258fdcebdc090c7ead22c2a9654127c7e1ac52939691ae07bcdc
                                                                                                                    • Opcode Fuzzy Hash: 283ccbe9405805fe2f040c0be818a2541f1fce33d2b223d290b3956a9ddc0321
                                                                                                                    • Instruction Fuzzy Hash: CE01B531B0630B1FEB495FBCA9651273FDDDE8621430509BAC649CB151F91C9C06C791
                                                                                                                    Function 04F91968 Relevance: .1, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 40105a4d9b6a5570f703576f82b565c1d99b0fa208413fc0254da7ebf2433a70
                                                                                                                    • Instruction ID: f084101ea76d72ac9676e16015855ee739fd6796815d013c78c5fcf3726446b6
                                                                                                                    • Opcode Fuzzy Hash: 40105a4d9b6a5570f703576f82b565c1d99b0fa208413fc0254da7ebf2433a70
                                                                                                                    • Instruction Fuzzy Hash: 85112435600219EFDB04DFA4E464AAE7BBAEF8C311F145029E509E7354CF799C45CB90
                                                                                                                    Function 04F9B070 Relevance: .0, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2669e279eca432e075725a296dd6fe14d5034be6c00989c962833ca57ee001b5
                                                                                                                    • Instruction ID: 615a3a6fd51c852b2bb5398af545ed20da27f487c35075672aeaa69c9be3c6b3
                                                                                                                    • Opcode Fuzzy Hash: 2669e279eca432e075725a296dd6fe14d5034be6c00989c962833ca57ee001b5
                                                                                                                    • Instruction Fuzzy Hash: B401F234700206AFDB15DA79D88095BFBEAFF89310704817AD41CC7265EB38EC46CBA1
                                                                                                                    Function 04F91829 Relevance: .0, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 756b8b604eee39cd3d50a19570a2cc61f465fdc5c20e021bdc541eb09b644dcb
                                                                                                                    • Instruction ID: f126785e0370e787b3d7e19057afb4f3a5fb36abd9e612e4e1b568c3072db6b1
                                                                                                                    • Opcode Fuzzy Hash: 756b8b604eee39cd3d50a19570a2cc61f465fdc5c20e021bdc541eb09b644dcb
                                                                                                                    • Instruction Fuzzy Hash: 2C01AD31B101068BFB18AA689A657EF7BE79BC8708F144429D501B7380CEB5AC079791
                                                                                                                    Function 04F9B920 Relevance: .0, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9e0c4aca61fd954e2e349e0f748f404ea526a43a29c3e8756cc4b63567f168a2
                                                                                                                    • Instruction ID: 002e2247fd2dfe055f58c05dbf61f872343f871fb60968ad8bce86f010d79a07
                                                                                                                    • Opcode Fuzzy Hash: 9e0c4aca61fd954e2e349e0f748f404ea526a43a29c3e8756cc4b63567f168a2
                                                                                                                    • Instruction Fuzzy Hash: F701A2717542414FEB18CA2CD8A0A6BBBEAEF89360715407ED84EC7755EA75EC02C760
                                                                                                                    Function 04F967E3 Relevance: .0, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 494015bdeb479bc39a0ee67bf25e6fa3369d56c7dd8fb20867cd6d7cd3443166
                                                                                                                    • Instruction ID: de7ad3187ddc4b82564774457d3f0172a4041c47d4e3bad9fb21b559cd75be37
                                                                                                                    • Opcode Fuzzy Hash: 494015bdeb479bc39a0ee67bf25e6fa3369d56c7dd8fb20867cd6d7cd3443166
                                                                                                                    • Instruction Fuzzy Hash: 4F015274E0120CEFEB14FFB8E441ADD7FB5EF45204B1082A9D404EB691DA356E09CBA1
                                                                                                                    Function 04D0D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.2105481853.0000000004D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D0D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_2_4d0d000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 58f167bd5021add5bb10b30b02225a85252af7f9c6239773bdd743c12f05195d
                                                                                                                    • Instruction ID: 83aeb0e0a262171bf0cc276b19f690cc0c13a37761f03019223bbd3c1ea5a7c7
                                                                                                                    • Opcode Fuzzy Hash: 58f167bd5021add5bb10b30b02225a85252af7f9c6239773bdd743c12f05195d
                                                                                                                    • Instruction Fuzzy Hash: 0E012B707043049AE7208E65DD84B67BF9CEF81320F18C42BED8C0B2C6D279E801CAB1
                                                                                                                    Function 04D0D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000002.2105481853.0000000004D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D0D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_2_4d0d000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a16e15a88af109db57d219867a3ec380e6744a426e35da20c865929b6ab2dc67
                                                                                                                    • Instruction ID: 80bc8f29f1b9122c6fbb5c6bd415dcd19f49ceab7a4f9f6c47afa1f2dfce6c8e
                                                                                                                    • Opcode Fuzzy Hash: a16e15a88af109db57d219867a3ec380e6744a426e35da20c865929b6ab2dc67
                                                                                                                    • Instruction Fuzzy Hash: 08018C7110E3C09ED7128B258894B52BFB4EF43224F18C0DBD8888F2E7C2699849C772
                                                                                                                    Function 04F9CB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0662c1f4b7c37c69a0d03521ac6d04f6fc9c3642e7f65c525d3f59e2681cb966
                                                                                                                    • Instruction ID: d5d6e12b6765e4eed5ac4d63582e47586a2c44c06c0eac09fec1373ea41e12a3
                                                                                                                    • Opcode Fuzzy Hash: 0662c1f4b7c37c69a0d03521ac6d04f6fc9c3642e7f65c525d3f59e2681cb966
                                                                                                                    • Instruction Fuzzy Hash: 0EF090367081185FAB048E6DBC84A6FB7EAFFC8A79314013AE509C3350DF65DC028790
                                                                                                                    Function 04F956C3 Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 07bee40ffbaeeeacf321ba776967f0c2cd4551dd12ab81f4ba2fc7aa14f6252d
                                                                                                                    • Instruction ID: b65ee073ab8e38c53d6ad2b941f5c81c85a2355d0caba6f11c36d8a5e6b735fa
                                                                                                                    • Opcode Fuzzy Hash: 07bee40ffbaeeeacf321ba776967f0c2cd4551dd12ab81f4ba2fc7aa14f6252d
                                                                                                                    • Instruction Fuzzy Hash: 0B01FC70305344AFE3299778A45169D7FDAEF81314740856DD10D8B692CF69680DC7F1
                                                                                                                    Function 04F9858F Relevance: .0, Instructions: 44COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8a6dde10c803add95a3ddc477c8f6a5b29d45eacfa49c5763af5304d3732f6d4
                                                                                                                    • Instruction ID: 55cb473f7efad139e78597c2724900655f9bdfac45fa8b0c66e5bdec94678381
                                                                                                                    • Opcode Fuzzy Hash: 8a6dde10c803add95a3ddc477c8f6a5b29d45eacfa49c5763af5304d3732f6d4
                                                                                                                    • Instruction Fuzzy Hash: 11014976A043018FEB50DB78E8408697BA2DFD6374701816AE504CF262DB21DC55CB11
                                                                                                                    Function 04F9EA75 Relevance: .0, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1e49fe8e08a36160da889bca30d3c72037a5c60cc0b073477942639875792e5f
                                                                                                                    • Instruction ID: cfd0624491e94e865f659efc1b79d505b04db06045f13f315c90654a825a22df
                                                                                                                    • Opcode Fuzzy Hash: 1e49fe8e08a36160da889bca30d3c72037a5c60cc0b073477942639875792e5f
                                                                                                                    • Instruction Fuzzy Hash: BBF024313093014FCB15166D98509AABBFAEFCA92036500B7D008CB3A2CE6A9C4BC773
                                                                                                                    Function 04F9CB7F Relevance: .0, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8ee389f79c173dbe176a09bbd3e6823f9b7e2244ea99e94b31997785d6fe8f46
                                                                                                                    • Instruction ID: 0055ec310cb757d536a3c6b88b7f4abc322f5c59049069abe754c40c2bf56858
                                                                                                                    • Opcode Fuzzy Hash: 8ee389f79c173dbe176a09bbd3e6823f9b7e2244ea99e94b31997785d6fe8f46
                                                                                                                    • Instruction Fuzzy Hash: 1FF0F0327082465FD7158F79A85096BFBFAFF8566031501BAE008C7261DB79DC06C7A0
                                                                                                                    Function 04F946A0 Relevance: .0, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b80602be67087a1cf9f4c6f4d6c945993adec563aa95c5c086e00400443f72ae
                                                                                                                    • Instruction ID: 985e20c515d3c456ac4ebb662ebcf1c81b0cd17fa43fd83cfb394d855f74da96
                                                                                                                    • Opcode Fuzzy Hash: b80602be67087a1cf9f4c6f4d6c945993adec563aa95c5c086e00400443f72ae
                                                                                                                    • Instruction Fuzzy Hash: 64F04F74D4934CAFCB50DBA8E8018DDFFB89B05310F0045EAE8449B311DA355A45CBD2
                                                                                                                    Function 04F96769 Relevance: .0, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8d950c22779319218cb2454ad72cf129fbee786a5362c55ac1366015493dda8f
                                                                                                                    • Instruction ID: 1ce1820b9941109a56ec24630fc5108f2314e9220f5474f3fa207bc093eb9699
                                                                                                                    • Opcode Fuzzy Hash: 8d950c22779319218cb2454ad72cf129fbee786a5362c55ac1366015493dda8f
                                                                                                                    • Instruction Fuzzy Hash: 68012C35A01505DBFB10CB64D68065DF7E6FB89325B608639C41ADB344DB35EC46CB92
                                                                                                                    Function 04F9E3EB Relevance: .0, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 977c01c5648bb4e5ecc598cfbccef5f9369cfe5446c30fa4a57527b011050c8c
                                                                                                                    • Instruction ID: 773af43ad6f76db4ece9c4740486999ab82afb43899ca63c79445e01e05506c5
                                                                                                                    • Opcode Fuzzy Hash: 977c01c5648bb4e5ecc598cfbccef5f9369cfe5446c30fa4a57527b011050c8c
                                                                                                                    • Instruction Fuzzy Hash: 5801D6B6B212148BFB11EB68D8517BD77A7EBC4210F14C116D6495B384DF75BC0687D0
                                                                                                                    Function 04F9E36A Relevance: .0, Instructions: 40COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4847b5038baee1f29eabaaa817762526da17102deddd9c54249a03ddbc0eec3d
                                                                                                                    • Instruction ID: a406df9abd74b0319386c9dff30ed27487d57a4c4869050e17e6412a4b9a3335
                                                                                                                    • Opcode Fuzzy Hash: 4847b5038baee1f29eabaaa817762526da17102deddd9c54249a03ddbc0eec3d
                                                                                                                    • Instruction Fuzzy Hash: 33F0F47AB612104BEB11AA68985076D7767EBC4260F14C126D6495B384DF75AC06C7E0
                                                                                                                    Function 04F9AF00 Relevance: .0, Instructions: 40COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ce0f759123297a0551db522722cdadde0edcb144fb56e3362d8cf0f563c25cff
                                                                                                                    • Instruction ID: 1a0e7059af16f0b3e6fa527563e3227fcd741b308834fec0ffa3607aeba52062
                                                                                                                    • Opcode Fuzzy Hash: ce0f759123297a0551db522722cdadde0edcb144fb56e3362d8cf0f563c25cff
                                                                                                                    • Instruction Fuzzy Hash: FFF0B4717046461F97194AAE6885497BFEDDFC9224314807BE40DC7256EE64DC0683A1
                                                                                                                    Function 04F9AEBF Relevance: .0, Instructions: 39COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 718d7287d69b82cee9dc1fc43c37f592fa2f08c1684ae4cc27dea1b5352a6beb
                                                                                                                    • Instruction ID: 67948fef30bdd4d294e01a07d4435c510d7b20a9e3d95e5b61a3db0f790b6852
                                                                                                                    • Opcode Fuzzy Hash: 718d7287d69b82cee9dc1fc43c37f592fa2f08c1684ae4cc27dea1b5352a6beb
                                                                                                                    • Instruction Fuzzy Hash: F0F0B43224E3C24FEB071B702C250877FB0DE93265B6980E7D085CA0A3CA2C0817CB32
                                                                                                                    Function 04F968D1 Relevance: .0, Instructions: 39COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b917a4e78a5ab4a60fedef9002ec84944c72234bca96fcce596f592b1ddb6b45
                                                                                                                    • Instruction ID: 27300f47316a00b6f7e3a92d18998acfe6f6a9aa23eaab2351a69fb2247cbb46
                                                                                                                    • Opcode Fuzzy Hash: b917a4e78a5ab4a60fedef9002ec84944c72234bca96fcce596f592b1ddb6b45
                                                                                                                    • Instruction Fuzzy Hash: 73F0BB36604256AFD716CF79D800D8ABFF6EF89310315C0AAE448CB222D731D915CF90
                                                                                                                    Function 04F96038 Relevance: .0, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ba82bee4a27bec21c31dab65834968046324f1a0f386401e8a08aee7c6bd1d0f
                                                                                                                    • Instruction ID: 6a14a2a26a23fccae20d36bc5ddc4da16dcfc4c96e2076367b7e7af9ea3ffad5
                                                                                                                    • Opcode Fuzzy Hash: ba82bee4a27bec21c31dab65834968046324f1a0f386401e8a08aee7c6bd1d0f
                                                                                                                    • Instruction Fuzzy Hash: 9FF0F4321087A19FD3359BA9E405587BFF8EF82318B00482ED0C687672D7F9A449C751
                                                                                                                    Function 04F956D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b7dea99ff9f64c18acc9b4fa14b2a5a26a87cc2443ab3f151b7ce566344624f3
                                                                                                                    • Instruction ID: c1e4883b2629a28dfc4107dc4c8a79e902f70c20ad9234131f2bdf6e38e54005
                                                                                                                    • Opcode Fuzzy Hash: b7dea99ff9f64c18acc9b4fa14b2a5a26a87cc2443ab3f151b7ce566344624f3
                                                                                                                    • Instruction Fuzzy Hash: 25F0CDB0300605ABE3289B69D45165E76DEDFC0314B40852CD10D8B695CF797809C7B0
                                                                                                                    Function 04F9C4C9 Relevance: .0, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: aa2bc3228f3e035e41d1a71c73f8823c72787bbf72bd5f87b8de75b0363ac27c
                                                                                                                    • Instruction ID: 319109e06d7e43011c226ec1f5dd5c9e409d609339f7cf7b918c3c978efe2ce0
                                                                                                                    • Opcode Fuzzy Hash: aa2bc3228f3e035e41d1a71c73f8823c72787bbf72bd5f87b8de75b0363ac27c
                                                                                                                    • Instruction Fuzzy Hash: 26F09E312043826FD7269A34D80099BBBE9DFC2750B464177D449C7065FB70EC05C790
                                                                                                                    Function 04F967F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 57672b4b0470199e0e8cb71673a8f762148f3efd9972b507f6bb86fec5bfa2c7
                                                                                                                    • Instruction ID: cff4eece4f447144841f06cbed87ee49b77951123103a8f5f422ca032bf76c43
                                                                                                                    • Opcode Fuzzy Hash: 57672b4b0470199e0e8cb71673a8f762148f3efd9972b507f6bb86fec5bfa2c7
                                                                                                                    • Instruction Fuzzy Hash: F901FFB4E0120CEFEB44FFB8E541A9D7BF9EF84204F1086A8D408A7280DA357E05CB91
                                                                                                                    Function 04F91431 Relevance: .0, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 282d802cdf5ba6e7326c6c88efd471ae13a546af7f57f313d5b2a648d9ef3e00
                                                                                                                    • Instruction ID: 9beac807da3de439a7bea5cd0e8917d8be6175d93ed6522443e68c940365d17e
                                                                                                                    • Opcode Fuzzy Hash: 282d802cdf5ba6e7326c6c88efd471ae13a546af7f57f313d5b2a648d9ef3e00
                                                                                                                    • Instruction Fuzzy Hash: 5EF06271B0230B5FEB4C5FBCA6655163BDEEEC5214315093AC60ACB1A5E92C9C06CB91
                                                                                                                    Function 04F945B8 Relevance: .0, Instructions: 34COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0bd52fecb0c3bdfd4a152b76bfb02c95bda679d1eab886c26a21ca4c7c8d92ca
                                                                                                                    • Instruction ID: c1ce7d9339f7bd82e6794a7f26aeb7553c82e4e94cc8710847c160236bdf85ff
                                                                                                                    • Opcode Fuzzy Hash: 0bd52fecb0c3bdfd4a152b76bfb02c95bda679d1eab886c26a21ca4c7c8d92ca
                                                                                                                    • Instruction Fuzzy Hash: 59F0B4343082428FEB259F7CE95095A7FEADFC920430485A9D049CB275DB25EC07CB60
                                                                                                                    Function 04F9C688 Relevance: .0, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1fb858f33d8080b73a4c8d677dd3f4ce9cc8aec7ed973c6017796eaffc304ebd
                                                                                                                    • Instruction ID: f2fa25f55ff685b18b844e4729b45e2598b8e4923cc4340a46f807041ba3d5bb
                                                                                                                    • Opcode Fuzzy Hash: 1fb858f33d8080b73a4c8d677dd3f4ce9cc8aec7ed973c6017796eaffc304ebd
                                                                                                                    • Instruction Fuzzy Hash: B8F0E5357002128BEB04DA79D8044A6B7DAAF882A430495B5DA0CC7724EE75EC43C790
                                                                                                                    Function 04F9AB90 Relevance: .0, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 29a1d960823dba66ef73676520c783afc7af9eec50fa1c4c7db47345200410a5
                                                                                                                    • Instruction ID: 2e1b9166c8fc7a5a84796e68e9eda228fc1f488d53e906b4b03ae308d963b315
                                                                                                                    • Opcode Fuzzy Hash: 29a1d960823dba66ef73676520c783afc7af9eec50fa1c4c7db47345200410a5
                                                                                                                    • Instruction Fuzzy Hash: 43F0A7313083448FE7155B39A884956BFE9EB86365B1500FAE149C72A2DA249C05C750
                                                                                                                    Function 04F938B0 Relevance: .0, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 936af9c475a2f3217c9ab07677a20b92534054054654236b15ef9e95c319f92f
                                                                                                                    • Instruction ID: d8d91709dcddb87eee2bee1a326c4a4042732f91e15758b644fa76cfcadb7716
                                                                                                                    • Opcode Fuzzy Hash: 936af9c475a2f3217c9ab07677a20b92534054054654236b15ef9e95c319f92f
                                                                                                                    • Instruction Fuzzy Hash: FEF0A020B193590AFF251A75590039B3FDA4B4A718F01007ACCC2CAA92E6D4EC828BE1
                                                                                                                    Function 04F946C8 Relevance: .0, Instructions: 31COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 918df0a873148eed1d021913d5a7ec81f6f8dca47e892917418f67ebb1e02367
                                                                                                                    • Instruction ID: 1a1f68ab0c05241035c7e86ed1f5ad42a836ea1f84f1f32166adc09cd03c0d76
                                                                                                                    • Opcode Fuzzy Hash: 918df0a873148eed1d021913d5a7ec81f6f8dca47e892917418f67ebb1e02367
                                                                                                                    • Instruction Fuzzy Hash: 56F08C70D0934CAFCB10DBA8E8014EDBFB9AA45310F0040EAD444DB261DA341A46CF86
                                                                                                                    Function 04F936A9 Relevance: .0, Instructions: 31COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 25c89a055648b4ffc23e5b827f6ed15f45bed3637f0d41bcd6593ec653a63fdc
                                                                                                                    • Instruction ID: 72b331563c15c0ee7c0f67dbe65879e87c142943f084c66e8073956c2d441545
                                                                                                                    • Opcode Fuzzy Hash: 25c89a055648b4ffc23e5b827f6ed15f45bed3637f0d41bcd6593ec653a63fdc
                                                                                                                    • Instruction Fuzzy Hash: C4F030B2E05216DF8F44DFB999011EABBF0EF48251B20957AC81AD7200F3309A16CFC1
                                                                                                                    Function 04F93CFF Relevance: .0, Instructions: 31COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ec925e45accd8459de645a7406b0d3386fab9b09fb98d1d3470d488abcf4509e
                                                                                                                    • Instruction ID: c59c84333e1479f1adb11df5e43240f49e8709d171e170ad752da1b90a03ef1b
                                                                                                                    • Opcode Fuzzy Hash: ec925e45accd8459de645a7406b0d3386fab9b09fb98d1d3470d488abcf4509e
                                                                                                                    • Instruction Fuzzy Hash: ABF027B190A24CAFDB21DFB4A9124DA7BF9EB0530071041EBD808CB652DA355E04C392
                                                                                                                    Function 04F94560 Relevance: .0, Instructions: 30COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 109ed4601079ff1fb14f88371347a82740b392ae9fef68d149aec8883589d5f1
                                                                                                                    • Instruction ID: 55a8f3415361c464747b2c63897119c521cf40a81927394c0bcf761e9146c671
                                                                                                                    • Opcode Fuzzy Hash: 109ed4601079ff1fb14f88371347a82740b392ae9fef68d149aec8883589d5f1
                                                                                                                    • Instruction Fuzzy Hash: A3E02B723005011BA629A76DA85091F76DEFFC4264300843DD01DCB740DE24FC06C395
                                                                                                                    Function 04F9C678 Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c18a021f7dcaaee83c4844d743c0901e319d51e7f3c42ac662b95fc1b9a373c6
                                                                                                                    • Instruction ID: a27b88e2aeb313e5732ec4b9befbd8e6f179a135d1bf7a5a76739904670012ff
                                                                                                                    • Opcode Fuzzy Hash: c18a021f7dcaaee83c4844d743c0901e319d51e7f3c42ac662b95fc1b9a373c6
                                                                                                                    • Instruction Fuzzy Hash: 05E0D8366443829BD715467198144D2FFBADE4626031845F3C9448A212DB35DC83C7A1
                                                                                                                    Function 04F9C1D0 Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a779d9333b0511f4bc51766d4e2b05abb1947f60994e8f56d83da13a2a59b12b
                                                                                                                    • Instruction ID: 026e3f5b1369cbff511e8a0ebf5969c7b7b27224693da32a85774dba08f9b607
                                                                                                                    • Opcode Fuzzy Hash: a779d9333b0511f4bc51766d4e2b05abb1947f60994e8f56d83da13a2a59b12b
                                                                                                                    • Instruction Fuzzy Hash: A6E02B312047055BC3256B78E01559F7FE9EFC2324B00443AD486C7641DF786805CBA6
                                                                                                                    Function 04F96AAF Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 71fec3b69ece0628aa88fc166503ed7fb554700a436b1995bc91f5695c81d3ea
                                                                                                                    • Instruction ID: 4494a9b1d76ff4dcb46d64ffee1865ee10d4ed6131305417a8108f92b69fb50e
                                                                                                                    • Opcode Fuzzy Hash: 71fec3b69ece0628aa88fc166503ed7fb554700a436b1995bc91f5695c81d3ea
                                                                                                                    • Instruction Fuzzy Hash: E9F0A0712042849FD315CF68D840C81BBE4AF1921030580A6E848CB762D721EC16CB91
                                                                                                                    Function 04F93CC0 Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f798cc225db0be8e7f12cb9213cb7151fa287c200f06b7012a3e13c2157c1e12
                                                                                                                    • Instruction ID: ec9999f1102ecf45abdb5689fdc3b89cbbb645fffd8108ca3de53403bf718e36
                                                                                                                    • Opcode Fuzzy Hash: f798cc225db0be8e7f12cb9213cb7151fa287c200f06b7012a3e13c2157c1e12
                                                                                                                    • Instruction Fuzzy Hash: 44E0D8373452941BC72216BD74164AA7FA9CAC656530440AFD549C7A82CE596C0687A3
                                                                                                                    Function 04F96898 Relevance: .0, Instructions: 25COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b82b87730c4adffdcd303d0f6a270b2b11348eeb9c587ca9adc5974b759f1509
                                                                                                                    • Instruction ID: 4b9590619e5209cb2e7f9d9d3e1567383cde873dcc0317450a8f270c0b5d86ac
                                                                                                                    • Opcode Fuzzy Hash: b82b87730c4adffdcd303d0f6a270b2b11348eeb9c587ca9adc5974b759f1509
                                                                                                                    • Instruction Fuzzy Hash: F6E04F311162529FC365AB38E801D93FFF5EF8A36031642B6E044CB126D7748842C7A0
                                                                                                                    Function 04F92998 Relevance: .0, Instructions: 25COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 784958e28dfb94a1e72e280c4b895a5f9a65bd29d75e827605da5b258415b508
                                                                                                                    • Instruction ID: c28cf6ca6e6a9776a5129a907984abc4f34e748b394ecd541fca2ad8ecdf9663
                                                                                                                    • Opcode Fuzzy Hash: 784958e28dfb94a1e72e280c4b895a5f9a65bd29d75e827605da5b258415b508
                                                                                                                    • Instruction Fuzzy Hash: 01E026716462001FF3066734FA93BC43F12EF80604F028566E1808F2B6DD266C0B83D5
                                                                                                                    Function 04F9CAC0 Relevance: .0, Instructions: 24COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ab729985890dc5a631c58729d3febab1fafe0e7587dc5255d1019e6d5c26cb28
                                                                                                                    • Instruction ID: a343fe475f624810dd2c05fa41b37fedbe3d7bdfc8f3e0ace1e877fad333dff0
                                                                                                                    • Opcode Fuzzy Hash: ab729985890dc5a631c58729d3febab1fafe0e7587dc5255d1019e6d5c26cb28
                                                                                                                    • Instruction Fuzzy Hash: D6E0EC2548E3E24FDB179B7895B50D53FA5AD4331971800D3C0D2CE0A3DA5CA89EC796
                                                                                                                    Function 04F936B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                    • Instruction ID: b402aa93a1061e365c548e80fab275832d4602f989660302b1da044930a581da
                                                                                                                    • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                    • Instruction Fuzzy Hash: 74E0ED71F0421A9F9F50DFA999005AEBBF4AB48144B108569C919E7200F231AA128BD1
                                                                                                                    Function 04F93C89 Relevance: .0, Instructions: 24COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 65cd87d3f04986193502ebda865460bc8562eb175b59512f7b74ea83373b0406
                                                                                                                    • Instruction ID: 890d576b9b00f5b9f758fa34cbcea5a4e5082714e8b565eea1f1faa4be3c94bd
                                                                                                                    • Opcode Fuzzy Hash: 65cd87d3f04986193502ebda865460bc8562eb175b59512f7b74ea83373b0406
                                                                                                                    • Instruction Fuzzy Hash: 69E0263230A29ACFEF150BB574251B53FE1DA8925131400FAD44FC7512D2198821CB10
                                                                                                                    Function 04F917F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c9d1b4f3b28fab05eec9c36cb6362b28360a95de31843e9f26ae4f5cfbf62bb1
                                                                                                                    • Instruction ID: 3807fea1e0352c772921f71ecbc2c90c6dff30942ee6579ac1da64fca788569c
                                                                                                                    • Opcode Fuzzy Hash: c9d1b4f3b28fab05eec9c36cb6362b28360a95de31843e9f26ae4f5cfbf62bb1
                                                                                                                    • Instruction Fuzzy Hash: BBD095732191241FD305EB70F4570657FB5F7051213154057E44487272CC700C53C3C1
                                                                                                                    Function 04F9C1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6bde3e97d680e838ea24ef8253246bb353acfb6c9681b80ac85b46031f63cd09
                                                                                                                    • Instruction ID: de06795c3bd19bb705d76e890336ae8e14d302a1fe2518d5a340e335754e4425
                                                                                                                    • Opcode Fuzzy Hash: 6bde3e97d680e838ea24ef8253246bb353acfb6c9681b80ac85b46031f63cd09
                                                                                                                    • Instruction Fuzzy Hash: 39E0C23530070857D2247B58E04595E7BDEFFC5769F00082DE44A87744CEB5B805CBA9
                                                                                                                    Function 04F96AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b5d6f23d2d3ed833ded1c2da8854432c7dfb1b0da4e8dd62762112288f912494
                                                                                                                    • Instruction ID: 266735ef07b70d75f75534f7a6e5f2444183d40d6f95b1312d8f05c76d57d11a
                                                                                                                    • Opcode Fuzzy Hash: b5d6f23d2d3ed833ded1c2da8854432c7dfb1b0da4e8dd62762112288f912494
                                                                                                                    • Instruction Fuzzy Hash: E2E08C753002449FD304DF4CD880C81BBE9EF58210315809AE848CB322C722FC12CB91
                                                                                                                    Function 04F93CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fdf0a32fe43ab6434f2298ce1546ebea89be3159371486478c5461904ab2c349
                                                                                                                    • Instruction ID: 859bb7efa1ae602f6767ec81af1cbb42a0dcb9521362bfa0eea2d08907019c61
                                                                                                                    • Opcode Fuzzy Hash: fdf0a32fe43ab6434f2298ce1546ebea89be3159371486478c5461904ab2c349
                                                                                                                    • Instruction Fuzzy Hash: D2D0A73B310128135B24269E741653E77DFCBC9E65304012EEA0DC3384CE555C0287E5
                                                                                                                    Function 04F946D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ccd241eb96ba906d2fcf80f2763fd739b685b320ddd4503084ae004e17063116
                                                                                                                    • Instruction ID: 223bbb348cbf1940618b81af3d3067742e9aeba096a0de974918585c002fe809
                                                                                                                    • Opcode Fuzzy Hash: ccd241eb96ba906d2fcf80f2763fd739b685b320ddd4503084ae004e17063116
                                                                                                                    • Instruction Fuzzy Hash: EEE09274E0420CAFCB54EFA8E54559DBBF9AB48304F0085AA9809A7354EA346A05CF81
                                                                                                                    Function 04F93938 Relevance: .0, Instructions: 19COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0c2e33e7c12290f0e0ccba82453fedc1414183d17415fe9074864adf202bbbce
                                                                                                                    • Instruction ID: cafa8e96390ef93854c1b2b4f88bc4d4494820a61aaf4b37b15b66d2c9f24f22
                                                                                                                    • Opcode Fuzzy Hash: 0c2e33e7c12290f0e0ccba82453fedc1414183d17415fe9074864adf202bbbce
                                                                                                                    • Instruction Fuzzy Hash: 81D0A732F5A3655FDF0517B834192A97FDDDF86A18F0284E7DE48DB252D96C8C024385
                                                                                                                    Function 04F90C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e8198285816cb92195dc3bb09a6368071738d1bd190cbbe861ed8b9586d4eb6d
                                                                                                                    • Instruction ID: 26762f4b2f81da6cfb857eca7072e3aa06268163b0f8e557109106c0dd97f305
                                                                                                                    • Opcode Fuzzy Hash: e8198285816cb92195dc3bb09a6368071738d1bd190cbbe861ed8b9586d4eb6d
                                                                                                                    • Instruction Fuzzy Hash: 6CD0A73236102C6F66046A58D8859AA7BD9EB843613104433FA0183224DD74BC06D795
                                                                                                                    Function 04F93D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 728e43f034117fed89722843408c5b700b5798d2cf866890a10d94f1a30383c5
                                                                                                                    • Instruction ID: f03f2e5b0846bfcd09feca3f51671fa65c5b0f809329cb23483a8c85f5508978
                                                                                                                    • Opcode Fuzzy Hash: 728e43f034117fed89722843408c5b700b5798d2cf866890a10d94f1a30383c5
                                                                                                                    • Instruction Fuzzy Hash: E2D01270A1110CEFCB14EFB8EA0155D77FDEB44204B1081A9D408D7241DE356E00D790
                                                                                                                    Function 04F90440 Relevance: .0, Instructions: 15COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f02ab951e4f6df4f6367e36c269871f24d65c95e120c90e8dfa4eabacb43c71d
                                                                                                                    • Instruction ID: 182f23eb503d713af68c4f23c56c3515be657bb08850b6727f1c2d190286633b
                                                                                                                    • Opcode Fuzzy Hash: f02ab951e4f6df4f6367e36c269871f24d65c95e120c90e8dfa4eabacb43c71d
                                                                                                                    • Instruction Fuzzy Hash: ACC08CF3B54A405FE701002C1CA36EA27A0FDB220838E8092C0C0C4017E00AA4239126
                                                                                                                    Function 04F9E32A Relevance: .0, Instructions: 15COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0726247811b367294ba59b2d42babcc5e6e0a43572024c387089b366a2b4fe81
                                                                                                                    • Instruction ID: fe95650897e93c62eae222dd8d540de792a91bd9a6ca42cf8efdc4c01cef0fb0
                                                                                                                    • Opcode Fuzzy Hash: 0726247811b367294ba59b2d42babcc5e6e0a43572024c387089b366a2b4fe81
                                                                                                                    • Instruction Fuzzy Hash: 53E01230A0460ECBEF18DFE0D555AAE7BB1BB04709F204819D405AA284DF789947CF41
                                                                                                                    Function 04F92968 Relevance: .0, Instructions: 15COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ebc37b49951d71f0c9aa0910b3cb637451b8b28ce0820053a6bf01f6cedaab3c
                                                                                                                    • Instruction ID: 8ec358340e2710f7e11d8b0004bc27b19f7d927dad6511a9ac19625eaadbfd90
                                                                                                                    • Opcode Fuzzy Hash: ebc37b49951d71f0c9aa0910b3cb637451b8b28ce0820053a6bf01f6cedaab3c
                                                                                                                    • Instruction Fuzzy Hash: 97D05E7590220DEFCB04EFB4E901A5DBFFEEB44210B2086A59808D7224EA345E00DBD0
                                                                                                                    Function 04F93C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: abfe02a97162fe14a7063c99e6811aed0ae84aa6763b2d5ef2e215030386cbac
                                                                                                                    • Instruction ID: edf181af567911066f3fec9b97342ef2d8e2c85c9d14b2c4d24094976baa868e
                                                                                                                    • Opcode Fuzzy Hash: abfe02a97162fe14a7063c99e6811aed0ae84aa6763b2d5ef2e215030386cbac
                                                                                                                    • Instruction Fuzzy Hash: C3D0C731715608CBDF589A64E55553577D9978C614300445C980AC7341DB26FC12C650

                                                                                                                    Non-executed Functions

                                                                                                                    Function 04F9EDC8 Relevance: .3, Instructions: 258COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7763c4fe9d0f66d051558d4948d3fb342fb30a82c03b8b380d3649dda4cf7b0f
                                                                                                                    • Instruction ID: 9fb7a13cb065c3c4448eb5a68949e375883118cc3d34501cc2ce74b811ecce8e
                                                                                                                    • Opcode Fuzzy Hash: 7763c4fe9d0f66d051558d4948d3fb342fb30a82c03b8b380d3649dda4cf7b0f
                                                                                                                    • Instruction Fuzzy Hash: 1891822185E3E15EE703AB3C99B08C67FB4AE43218B1A00D7C1D4CF0B7E558995DD7AA
                                                                                                                    Function 04F9F7E8 Relevance: 7.6, Strings: 6, Instructions: 149COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000005.00000003.2104829702.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_5_3_4f90000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq$,aq$,aq$Haq$`]bq$`]bq
                                                                                                                    • API String ID: 0-3110493107
                                                                                                                    • Opcode ID: 547498eb3391e70d5853ca32e3a5ac349153dac187884f4d3bc42ad8ff7a66a2
                                                                                                                    • Instruction ID: 1f67cd02965ef35d56c88f69d6c7f9c81a25266e21fcd66cfce02aafae4c74db
                                                                                                                    • Opcode Fuzzy Hash: 547498eb3391e70d5853ca32e3a5ac349153dac187884f4d3bc42ad8ff7a66a2
                                                                                                                    • Instruction Fuzzy Hash: F5414731B041199FEB645F3CA41446E3BEAEFCA62232444AAD506DB3A1DE74EC03C7A5

                                                                                                                    Executed Functions

                                                                                                                    Function 067B50B8 Relevance: .3, Instructions: 283COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e01b185a9e669596fb52506a40e9ee597463cf63a3eeb66dbf01aaf39abd646f
                                                                                                                    • Instruction ID: 0933f94ea09daf83b9335c3ff2f3d9a9c639606e9264c5a8134e4becd04ecd82
                                                                                                                    • Opcode Fuzzy Hash: e01b185a9e669596fb52506a40e9ee597463cf63a3eeb66dbf01aaf39abd646f
                                                                                                                    • Instruction Fuzzy Hash: 71B13DB0E00209CFEF54CFA9C9857EDBBF2AF88314F149529D815A7294EB749845CF91
                                                                                                                    Function 067B59A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d1c26e69f6ee9ac6f998f9cd942e0f8c7380c33d67c64f1e80b0d8a2211cd286
                                                                                                                    • Instruction ID: 867711b6378ffd44f61fb2eda2fbf68f6f6aac60c23e892b277229588a99b5b5
                                                                                                                    • Opcode Fuzzy Hash: d1c26e69f6ee9ac6f998f9cd942e0f8c7380c33d67c64f1e80b0d8a2211cd286
                                                                                                                    • Instruction Fuzzy Hash: BAB15E70E00209CFEB54CFA9C8857EEBBF2AF88314F149629D819E7254EB749845CF95
                                                                                                                    Function 067B1630 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: $]q$$]q
                                                                                                                    • API String ID: 0-127220927
                                                                                                                    • Opcode ID: ae0a7751b7e87254b3bd4afe0afce70f4566163a38524584702aa9c67504a3c2
                                                                                                                    • Instruction ID: e874fdb6834148cfa0dbb6da67db5231d68b36ab9d438f85802a8d9c6c3b1333
                                                                                                                    • Opcode Fuzzy Hash: ae0a7751b7e87254b3bd4afe0afce70f4566163a38524584702aa9c67504a3c2
                                                                                                                    • Instruction Fuzzy Hash: D951C031B002098FCB59DF78D8606EE7BF6FF89350B54812AD519D7364EA308D02C791
                                                                                                                    Function 067B1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: e58a76b3e21f4da46014d451aa9058688d583b6d1fa6334a746f194b47660a27
                                                                                                                    • Instruction ID: f6985cc06d75d14e54408eaf8596ee0579cc61c484b87304620c8489a55eb914
                                                                                                                    • Opcode Fuzzy Hash: e58a76b3e21f4da46014d451aa9058688d583b6d1fa6334a746f194b47660a27
                                                                                                                    • Instruction Fuzzy Hash: 1171A335B002189FDB499BB5C8647EEB7ABAFC8300F149029E906DB3A4DE74DD42C791
                                                                                                                    Function 067B0E8C Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: 2dda0bf600c16e0576e2eeacde628c5629b0db7106e971e20a0d6ad74de30a81
                                                                                                                    • Instruction ID: 42aafc49ff27027d95220c41f6e3be6e421c57db1626592d271f439c74ff2285
                                                                                                                    • Opcode Fuzzy Hash: 2dda0bf600c16e0576e2eeacde628c5629b0db7106e971e20a0d6ad74de30a81
                                                                                                                    • Instruction Fuzzy Hash: 96412831B511095BEB88AB6898747FE679ADFC8310F14A43DDA16EB382CE359D07C790
                                                                                                                    Function 067B0C1C Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: (aq
                                                                                                                    • API String ID: 0-600464949
                                                                                                                    • Opcode ID: 025bad9c1b78f8eb717b17cf1643f4c2ed5ff303da1f62b59bed5fb46329e8e5
                                                                                                                    • Instruction ID: 6a486087980a041e7dee2d074db77f0f4b11c84eef7512c43009e9db63bdbb59
                                                                                                                    • Opcode Fuzzy Hash: 025bad9c1b78f8eb717b17cf1643f4c2ed5ff303da1f62b59bed5fb46329e8e5
                                                                                                                    • Instruction Fuzzy Hash: ED510431B04244AFEB499B64D8687FE7BB6EF8D310F149069D506E7382CE399C46CB91
                                                                                                                    Function 067B50B7 Relevance: .3, Instructions: 275COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 19f51b353d62947a281e3ea32a442dcd8cf0517581d8e33ab17bd6bff3438b74
                                                                                                                    • Instruction ID: 24c0ddbbc7ce984aba04d524abada1d8dd862dc4ef918527623adad796d2cf8a
                                                                                                                    • Opcode Fuzzy Hash: 19f51b353d62947a281e3ea32a442dcd8cf0517581d8e33ab17bd6bff3438b74
                                                                                                                    • Instruction Fuzzy Hash: 97B13BB0E00209CFEF54CFA9C9857EDBBF1AF88314F249529D819A7294EB749845CF91
                                                                                                                    Function 067B599C Relevance: .3, Instructions: 268COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 05a1e64fdaf579cdcefc5aff2f49671060e7352e712a83711ed9d01020929320
                                                                                                                    • Instruction ID: 7110918c61d8c5c45535773ea18ce88573ff3c92920e36ea225a369f132c8cc3
                                                                                                                    • Opcode Fuzzy Hash: 05a1e64fdaf579cdcefc5aff2f49671060e7352e712a83711ed9d01020929320
                                                                                                                    • Instruction Fuzzy Hash: B8B15F70E00209CFEB50CFA8C9857EEBBF2AF48314F249629D419E7254EB749846CF91
                                                                                                                    Function 067B1F08 Relevance: .1, Instructions: 112COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 589a1e81fff9b86330a3ad1b9b964a092852da80a69d94e78c45395694acfc2f
                                                                                                                    • Instruction ID: 7513b9d0dd9967cbc70afad934a16bf0694250e6f1be76cb5ee399d1c4c3608d
                                                                                                                    • Opcode Fuzzy Hash: 589a1e81fff9b86330a3ad1b9b964a092852da80a69d94e78c45395694acfc2f
                                                                                                                    • Instruction Fuzzy Hash: 2F318837B052057FE70A567078717BA3B1ADB81390B44203AD60CCF293DE299C4BCBA1
                                                                                                                    Function 067B2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9cb6c28b23f19275c006f049518198bee32525ed665606e954075070c03fac2d
                                                                                                                    • Instruction ID: 4fd2efd8d68dcff0f4925e2de42253ed6f2f476c2873241c6851e63f4bf2b0c0
                                                                                                                    • Opcode Fuzzy Hash: 9cb6c28b23f19275c006f049518198bee32525ed665606e954075070c03fac2d
                                                                                                                    • Instruction Fuzzy Hash: 11410635B101049FCB84DF79D8809EEBBB2FB88710B10816AE915EB361DB31DD42CB90
                                                                                                                    Function 067B1072 Relevance: .1, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fbf454aa632e3e6dc94ad1b51d226cca5f9acfa984e8efe8e625f7ecc92bcc0a
                                                                                                                    • Instruction ID: 0141420dea534bf7f76727821d6ac831bb48d7eb740d9a0adabccfb13734d471
                                                                                                                    • Opcode Fuzzy Hash: fbf454aa632e3e6dc94ad1b51d226cca5f9acfa984e8efe8e625f7ecc92bcc0a
                                                                                                                    • Instruction Fuzzy Hash: 5F110632F102149BEF558A7588A47FEBBEADBC8250F48A03AD906D7241EE74CD478391
                                                                                                                    Function 067B2B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 010dd74ce9816dd0df014d3190f32853515d773e529d6fba7e920f1ea7b3cd72
                                                                                                                    • Instruction ID: a0b8e322c8c357e0689c035244591947e23990bd876f9bd8fb3a9b81992a8c49
                                                                                                                    • Opcode Fuzzy Hash: 010dd74ce9816dd0df014d3190f32853515d773e529d6fba7e920f1ea7b3cd72
                                                                                                                    • Instruction Fuzzy Hash: CF11CE35B001188F8B89AB7C94242FF7AE69FC8251B100579D51AD7384EE34CE028BD6
                                                                                                                    Function 067B2258 Relevance: .1, Instructions: 61COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8a15b773f38b813cb7d493ea04cb62bfea530988f8515b1df806a7a76221b339
                                                                                                                    • Instruction ID: bacdd9e9c89f5334f4157ca4eea1fdd411513bef296b35fb6c6e9daba52808d6
                                                                                                                    • Opcode Fuzzy Hash: 8a15b773f38b813cb7d493ea04cb62bfea530988f8515b1df806a7a76221b339
                                                                                                                    • Instruction Fuzzy Hash: 6121E775E102149FDB88DF78D8809EEBBB2FF4C710B10916AE915EB361DB319942CB90
                                                                                                                    Function 067B0F20 Relevance: .1, Instructions: 60COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7242129dd57218cb6a97bf193437c158cc92977151fab2357c4ab74d6ad38381
                                                                                                                    • Instruction ID: 67518066ad85c34a50b3bb23afd2c318303ecb63f2cdb5378b1fe4773c9090fe
                                                                                                                    • Opcode Fuzzy Hash: 7242129dd57218cb6a97bf193437c158cc92977151fab2357c4ab74d6ad38381
                                                                                                                    • Instruction Fuzzy Hash: D301683AB093501FDBAA17796C783BF7F9A9F85250F416476DA18CB311EE28CC00C6A5
                                                                                                                    Function 067B1958 Relevance: .1, Instructions: 58COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ae87b8e8b98334c6e9b9a3f1783053492f928a853c21dd15e91fe794bc663d30
                                                                                                                    • Instruction ID: 55fd4c7236c2f3eeadc0f8c6d71fee02b4acd68aa7309fd71454473ebcf07359
                                                                                                                    • Opcode Fuzzy Hash: ae87b8e8b98334c6e9b9a3f1783053492f928a853c21dd15e91fe794bc663d30
                                                                                                                    • Instruction Fuzzy Hash: D2116036600115BFD749DF64D499AE9BBB6EF8C310F259019E40997350CF7A9C8ACB90
                                                                                                                    Function 067B1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 19110f0155afcca395b446bb67e63f420bdf7c0db9ac70a9829bc4bdb7969dc0
                                                                                                                    • Instruction ID: ee648a50f9926c1bd43940f65861f07ccfb17480928a515de5171b7928480ab7
                                                                                                                    • Opcode Fuzzy Hash: 19110f0155afcca395b446bb67e63f420bdf7c0db9ac70a9829bc4bdb7969dc0
                                                                                                                    • Instruction Fuzzy Hash: E32124B0D002498ECB10DFAAC484AEEFBF0FF59314F14852ED519A7240C779A946CFA1
                                                                                                                    Function 067B2B08 Relevance: .1, Instructions: 55COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f6c6edc11ed02035d45216705217acc5351ecbc519d6fcb314d9a3d81ba11172
                                                                                                                    • Instruction ID: 1f8c72ec6a5088b69a858aac5d5f1f9bdf196564d555ebdb93ff6b0cfd1af1f1
                                                                                                                    • Opcode Fuzzy Hash: f6c6edc11ed02035d45216705217acc5351ecbc519d6fcb314d9a3d81ba11172
                                                                                                                    • Instruction Fuzzy Hash: E801DE74B002118F9B89AB7894152FF7BE69FC8255B140129C42AC7391EF38CA43CBD5
                                                                                                                    Function 067B1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 179b5c65fd5479222d7130fb7f1f5460bfd0bfced3888b17da12a195e3c96ff4
                                                                                                                    • Instruction ID: f4af196c70ebdd2075787503d16f08122bd2b6e260412a123290a7967cd6332d
                                                                                                                    • Opcode Fuzzy Hash: 179b5c65fd5479222d7130fb7f1f5460bfd0bfced3888b17da12a195e3c96ff4
                                                                                                                    • Instruction Fuzzy Hash: E81103B5D002498FDB10DFAAC884AEEFBF4FF48314F50842AD519A7240CB78A945CFA1
                                                                                                                    Function 067B1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3bb8b1f3cb578f7c1784b58697b3d8444938a183b632ae833abf1f1c4ac17be5
                                                                                                                    • Instruction ID: d0c1ac277ac368e4895ba4928d435490490691c4c6fb2ff674d0f638ae3c0a2f
                                                                                                                    • Opcode Fuzzy Hash: 3bb8b1f3cb578f7c1784b58697b3d8444938a183b632ae833abf1f1c4ac17be5
                                                                                                                    • Instruction Fuzzy Hash: CE114232600115BFD749DF54D459AB9BBBAEF8C310F555019E409E7350CF7A6C89CB90
                                                                                                                    Function 067B1440 Relevance: .0, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f2b74456705c8994aa86f95120d961cd7d454ee75c578091b29a741647c9ac0f
                                                                                                                    • Instruction ID: b0f8eefb7076c6e8e8625ce05561c40fa747f2dc356eb17895d844fe1ff9faf0
                                                                                                                    • Opcode Fuzzy Hash: f2b74456705c8994aa86f95120d961cd7d454ee75c578091b29a741647c9ac0f
                                                                                                                    • Instruction Fuzzy Hash: 0101D830A1A3456FD70E8F7869352763FEEDE8630874519AAC549CF2A2ED29CC09C391
                                                                                                                    Function 067B2A68 Relevance: .0, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9992ddff440bf582e7e3659342c7f91b90b4bab5c3c22894667e5a619bea0845
                                                                                                                    • Instruction ID: 8ea0ad43bdb893983820071b90ce58824cee91a45596ec470135dffbc705b752
                                                                                                                    • Opcode Fuzzy Hash: 9992ddff440bf582e7e3659342c7f91b90b4bab5c3c22894667e5a619bea0845
                                                                                                                    • Instruction Fuzzy Hash: D2017C35B542118FD748AB38A4456EE3BF1EB89715B20406AD94ADB361DB789943CB80
                                                                                                                    Function 00A0D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2110888754.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_a0d000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c0afcf97970fb1a939cdc3fa53ee43b83469227870e5b1a5d3fd10fad8b6e2a5
                                                                                                                    • Instruction ID: 0c5cc2408a6da6a9203927c5dcdee2a47a849a080a7c07054dea36595f6e5965
                                                                                                                    • Opcode Fuzzy Hash: c0afcf97970fb1a939cdc3fa53ee43b83469227870e5b1a5d3fd10fad8b6e2a5
                                                                                                                    • Instruction Fuzzy Hash: 8A01F7725043489AE7208F65DD84B67BF98EF41320F18C42AED4E0A2C6C2799802C6B1
                                                                                                                    Function 067B182A Relevance: .0, Instructions: 44COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: dafbfaedc5fbac0238a8781c967c1b7cbde27e1fbcc1c2a35ffad6da2105aaea
                                                                                                                    • Instruction ID: bd278b6eaa4edf67036ddf65aaeb3249f34dfac09ae5b48ebe8211d5640db9cf
                                                                                                                    • Opcode Fuzzy Hash: dafbfaedc5fbac0238a8781c967c1b7cbde27e1fbcc1c2a35ffad6da2105aaea
                                                                                                                    • Instruction Fuzzy Hash: E801A275A102059BEB48AA68C5653FF7BF7AB88310F24902DD506F7380CE764C02C7D1
                                                                                                                    Function 00A0D006 Relevance: .0, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2110888754.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_a0d000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9ade1023bd5f5eb14ae6b222cd59859e0e537344ab0afbbc2dacfaf7597692aa
                                                                                                                    • Instruction ID: 8a67520946acbeedc9ba9b9271406b882f30a2c041254b787babf8528c11afe1
                                                                                                                    • Opcode Fuzzy Hash: 9ade1023bd5f5eb14ae6b222cd59859e0e537344ab0afbbc2dacfaf7597692aa
                                                                                                                    • Instruction Fuzzy Hash: 8F018C7240E3C49ED7128B259C94B62BFA4EF53224F0880CBD9888F2E3C2695805C772
                                                                                                                    Function 067B2997 Relevance: .0, Instructions: 42COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 43f85271be0a9177a16d0b5ed8334f443f78eaf9b868f1be0719072b1cf05efb
                                                                                                                    • Instruction ID: 146658011ef03f46e1e13f288ea6e5c92869a22c026fbbfc36fa43af5e9d03d1
                                                                                                                    • Opcode Fuzzy Hash: 43f85271be0a9177a16d0b5ed8334f443f78eaf9b868f1be0719072b1cf05efb
                                                                                                                    • Instruction Fuzzy Hash: D6F0A9353502404FEB1D6B70FA956F93B5EEF41315700613CE145CA1A6DE29D94ADB90
                                                                                                                    Function 067B2A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1aeec7d14741f3af8eddd0c2fbbbcf491fd24b839d79b317ef8f5cdcef10e15d
                                                                                                                    • Instruction ID: 72d83e9d742e6f9e2af150870d3d1ebd316f42d4d6067b0def76d599e5abd8ac
                                                                                                                    • Opcode Fuzzy Hash: 1aeec7d14741f3af8eddd0c2fbbbcf491fd24b839d79b317ef8f5cdcef10e15d
                                                                                                                    • Instruction Fuzzy Hash: DE016938A042158FCB48EF78D8056AE3BF1EB89615B10406AE919DB360EB719A42CB81
                                                                                                                    Function 067B0F30 Relevance: .0, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 62339ca36fe488baab5a70908a34818eeb7fa2488f3660616666f5998a084362
                                                                                                                    • Instruction ID: fd93628d69e3aac8ecb35d698e6a04460b54312000663900360da3959790003f
                                                                                                                    • Opcode Fuzzy Hash: 62339ca36fe488baab5a70908a34818eeb7fa2488f3660616666f5998a084362
                                                                                                                    • Instruction Fuzzy Hash: FBF0E91174E2A91FD746273818312AD2FA59F4330075659FAC114D7292CC088D0683A6
                                                                                                                    Function 067B1BB0 Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7c5ed59480ad08c7b43daca89b0919addf8996d9f0660df22c362d62b5c1aba9
                                                                                                                    • Instruction ID: 007ee23470d63a214814119e1d8815f84d9c701844220f194bda57a5efdf36ce
                                                                                                                    • Opcode Fuzzy Hash: 7c5ed59480ad08c7b43daca89b0919addf8996d9f0660df22c362d62b5c1aba9
                                                                                                                    • Instruction Fuzzy Hash: 7BF0973AF447105FE7290A25A0A43BA7B4EABC4260F11207ACE08CB301EF24CC028290
                                                                                                                    Function 067B1431 Relevance: .0, Instructions: 34COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9922173fbfc565b37a89255165df37485fbcb7a7853b65801951603ce5da8082
                                                                                                                    • Instruction ID: cf2828c79132b3147ab048ae5c22fa5e42b3ec301e9efe5e57b4b6471eeea25f
                                                                                                                    • Opcode Fuzzy Hash: 9922173fbfc565b37a89255165df37485fbcb7a7853b65801951603ce5da8082
                                                                                                                    • Instruction Fuzzy Hash: AEF0F630A122467EEB0E4F7855752393F9EEECA318745186EC189CF2A1FD2D8C46C391
                                                                                                                    Function 067B29A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b2580b16ede06120260a95888dd73807ab252ec3e967e25ceef39bd01c25546f
                                                                                                                    • Instruction ID: 1615e48b2924c084910aeb58f3532aff21a88bdfd15f81ca3595147c8acbe3fa
                                                                                                                    • Opcode Fuzzy Hash: b2580b16ede06120260a95888dd73807ab252ec3e967e25ceef39bd01c25546f
                                                                                                                    • Instruction Fuzzy Hash: 9FF090313102404BDB0CBB74EA55AAA3B5EEF81310B00A538E5068B265DE66DD4897D0
                                                                                                                    Function 067B2A20 Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 409f80116bb37941dffab4c56fbc01e2f01d530278b827a3ed74ae2a49ee7727
                                                                                                                    • Instruction ID: 6af85595fa7177df273c6e2a25f400a392f96f032908641e6c418c415bc6ff2b
                                                                                                                    • Opcode Fuzzy Hash: 409f80116bb37941dffab4c56fbc01e2f01d530278b827a3ed74ae2a49ee7727
                                                                                                                    • Instruction Fuzzy Hash: C4E0DF2134B2A48FA71A26A134062FE3B9CA986721716619BE80AC2193DF0D8E438745
                                                                                                                    Function 067B0F50 Relevance: .0, Instructions: 28COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5c8909ca03aa37e3a588e3496b2d8f2202ae71c5c0ce2f3c323188753e444298
                                                                                                                    • Instruction ID: 2c31bccac351bfe4523b990ef97cf7ec911e4a858062936372148bf0432a1bfb
                                                                                                                    • Opcode Fuzzy Hash: 5c8909ca03aa37e3a588e3496b2d8f2202ae71c5c0ce2f3c323188753e444298
                                                                                                                    • Instruction Fuzzy Hash: 7CF02B31618345CFCB529724D4757697B58EF01304B64ADAAD10DCB617D925DC81C742
                                                                                                                    Function 067B2959 Relevance: .0, Instructions: 23COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bc2b56c110c75b9dbc8ba373b6b65ae0c7ed01d80cf128a24206e2aeda39cbc7
                                                                                                                    • Instruction ID: c67e1a88b01b0a488e972e9df950428bc9c5580d23984670b02ac5fd0d43b159
                                                                                                                    • Opcode Fuzzy Hash: bc2b56c110c75b9dbc8ba373b6b65ae0c7ed01d80cf128a24206e2aeda39cbc7
                                                                                                                    • Instruction Fuzzy Hash: 77E0DFB18492049FDB08CFB0E9425CC7FB8DB0620872041AAC488D7233EA384A03CB80
                                                                                                                    Function 067B2A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5298ab9a8e3ef2f341dc9e9239e6f266f01058d9a4c94251e9b659d1c7eac80d
                                                                                                                    • Instruction ID: 8856d1ec487d12c381b6c73664b3fb9173c06274361535b523eca8ec3d53aaa0
                                                                                                                    • Opcode Fuzzy Hash: 5298ab9a8e3ef2f341dc9e9239e6f266f01058d9a4c94251e9b659d1c7eac80d
                                                                                                                    • Instruction Fuzzy Hash: 7CD012313065688B9A1426A664143FE759CAB45751B416129E82AD2281DF4ECE414795
                                                                                                                    Function 067B5EB0 Relevance: .0, Instructions: 20COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3d3cfa41edfca7fedc7ca6d91ba359a71f8af87484a5a23530aa32c4458eda96
                                                                                                                    • Instruction ID: 14365568ccaa129fe1e32bda74ec648d9577647ccaddabfe05d2dbb9e8a1bb44
                                                                                                                    • Opcode Fuzzy Hash: 3d3cfa41edfca7fedc7ca6d91ba359a71f8af87484a5a23530aa32c4458eda96
                                                                                                                    • Instruction Fuzzy Hash: 8BE02B793442508FE7059734F0205B43B36EB4B318B2040DBD147CB2B3DA25CC038305
                                                                                                                    Function 067B17F0 Relevance: .0, Instructions: 18COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2dc369ef547c00f50d847cbbb402b2deea20aab454a03adcdb211f975017ecc3
                                                                                                                    • Instruction ID: ed8d6093941408b829644012ba3d87cba487cafd44c66995056b0418b42dd7b9
                                                                                                                    • Opcode Fuzzy Hash: 2dc369ef547c00f50d847cbbb402b2deea20aab454a03adcdb211f975017ecc3
                                                                                                                    • Instruction Fuzzy Hash: 16D02E763682408FC709EB60F4060EA3F62E712210300402BE642C72B7EE3004A2C341
                                                                                                                    Function 067B0C48 Relevance: .0, Instructions: 18COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2d6453c9a75e891d85adff5c0607495a20e34d11158d43337799178da0a3c7df
                                                                                                                    • Instruction ID: 666ee093be2c30cb758b92047edc2317fe254275372a988ee8d67babc40c8367
                                                                                                                    • Opcode Fuzzy Hash: 2d6453c9a75e891d85adff5c0607495a20e34d11158d43337799178da0a3c7df
                                                                                                                    • Instruction Fuzzy Hash: B5D0A7313541205FE704565CD450A7D339DDF4A714B0054AAF209CB320C961FC4143C9
                                                                                                                    Function 067B0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 33b0ed9ac4ecc9d9d55638faf6aab02c1d1b8e300c3885358fe3acbc93c6c82e
                                                                                                                    • Instruction ID: d13db7b152d866788cd61ad8e9f570fe8a514a0f6b8d03d7f94e731d96ea6e08
                                                                                                                    • Opcode Fuzzy Hash: 33b0ed9ac4ecc9d9d55638faf6aab02c1d1b8e300c3885358fe3acbc93c6c82e
                                                                                                                    • Instruction Fuzzy Hash: F0D0A7323140186FA7486A19E8599EA7BD9EB842A03509437FA0183220CD70AC4493D5
                                                                                                                    Function 067B1D10 Relevance: .0, Instructions: 17COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5b45afe8e402cd5e58158b82c12f7defa95903bd55e56691362b97cdcd7c5f25
                                                                                                                    • Instruction ID: 93d1494aaa66afb930422d7412c0cb32b794b865a44b2714512aee1e9dd3bdf7
                                                                                                                    • Opcode Fuzzy Hash: 5b45afe8e402cd5e58158b82c12f7defa95903bd55e56691362b97cdcd7c5f25
                                                                                                                    • Instruction Fuzzy Hash: 00D0A930A8030D2AF7C822A0F8293F632989780B08FB02068EA1C891D0CEA98880C194
                                                                                                                    Function 067B1C29 Relevance: .0, Instructions: 15COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c5fbb3d5e3a0bd0416ba2651accd74fa673ea96cd0b0be54c732ac0be0ce490b
                                                                                                                    • Instruction ID: 313b7d82024eb593644c7e377eeacd0e95b0c502a4c2fb0e703f6ca3ac74a806
                                                                                                                    • Opcode Fuzzy Hash: c5fbb3d5e3a0bd0416ba2651accd74fa673ea96cd0b0be54c732ac0be0ce490b
                                                                                                                    • Instruction Fuzzy Hash: 38C080EF7066655EDBC612747D153DB5F038705B41B411972C37CC9050F914C745CA66
                                                                                                                    Function 067B2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c0325028618891fbf8b486c8e192567c046ead7fe72ea9d507111255254b3ace
                                                                                                                    • Instruction ID: c65543055848a585b33521128be35096e4716786a467e174734b09f76cbe6530
                                                                                                                    • Opcode Fuzzy Hash: c0325028618891fbf8b486c8e192567c046ead7fe72ea9d507111255254b3ace
                                                                                                                    • Instruction Fuzzy Hash: D3D05E74909209DFCB08DFB4E90599DBFFDEB44204B2086A59408D3220EA309E00DB80
                                                                                                                    Function 067B0440 Relevance: .0, Instructions: 14COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 47463d01dc711616bbcd8d7d24d88d80c78ca765902a38d91b7cf2c7d712ec5a
                                                                                                                    • Instruction ID: cfbd4726e8a09748eaef3a148321f0de438a88bc5fa3bdee792708ac0ddfd512
                                                                                                                    • Opcode Fuzzy Hash: 47463d01dc711616bbcd8d7d24d88d80c78ca765902a38d91b7cf2c7d712ec5a
                                                                                                                    • Instruction Fuzzy Hash: 08D01276459381AFD706466848514F67BB4FA73615399E2ABC0C0C5057D22F9493C671
                                                                                                                    Function 067B1D28 Relevance: .0, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 98c898c78c7068a31eef3cb0984954b3d9a4b5d14b5412ea88b6e4da7f4fe925
                                                                                                                    • Instruction ID: 20580043ab03730b54bde36dd8edb1a1ba1d39b007beb94733280a1c60ce4a71
                                                                                                                    • Opcode Fuzzy Hash: 98c898c78c7068a31eef3cb0984954b3d9a4b5d14b5412ea88b6e4da7f4fe925
                                                                                                                    • Instruction Fuzzy Hash: 38C09B3178034877F75416A0EC257BD3125EBD4705F645021F61DF91C0CD554C408250
                                                                                                                    Function 067B0E7C Relevance: .0, Instructions: 8COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000003.2110197108.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_3_67b0000_rundll32.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 01f5335f64928b9bd308aa8c409ac6515c99d183b8ee26926492e2072fcc2305
                                                                                                                    • Instruction ID: 0cc2da163d218d3e5c07df088e1d14e011ed07ba858eda5b9aaab18bb98c9b23
                                                                                                                    • Opcode Fuzzy Hash: 01f5335f64928b9bd308aa8c409ac6515c99d183b8ee26926492e2072fcc2305
                                                                                                                    • Instruction Fuzzy Hash: C9B01259A540005A7A84AA394CE4BF740C69EC0200BC0FC146101A0118CC28D4040008

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF848950C1D Relevance: 2.1, Instructions: 2116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b37abe4689c4bf6962dcbec6a133babd084cb74b2a0587ada225be3780b814e4
                                                                                                                    • Instruction ID: 19441a6ed6d2f6b739171eaab19e3f73e52c2819bad13987d06fc00fc3491fa1
                                                                                                                    • Opcode Fuzzy Hash: b37abe4689c4bf6962dcbec6a133babd084cb74b2a0587ada225be3780b814e4
                                                                                                                    • Instruction Fuzzy Hash: 70033831909A2D8FDBA9EF18C4987A9B7B1FF59345F1041E9D00ED7292CB35AA81CF14
                                                                                                                    Function 00007FF848A4061D Relevance: 1.2, Instructions: 1248COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2167437163.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848a40000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b21217db859b79ce95abc573261e843905f5760b46dd118cf939750e00bff41e
                                                                                                                    • Instruction ID: db1db3192c0ab5584bbbd8e55a5caebff429a3045082850506aa0e922eb2526c
                                                                                                                    • Opcode Fuzzy Hash: b21217db859b79ce95abc573261e843905f5760b46dd118cf939750e00bff41e
                                                                                                                    • Instruction Fuzzy Hash: 04324930B0DA494FDB99EB2C98566347BD1EF5A750F1402BED04EC72E3CE14AC429796
                                                                                                                    Function 00007FF84895C922 Relevance: .5, Instructions: 460COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3082c567bab1cfc03b812409d3efd33b46720b7078ecca7aa6fa690aa44e095c
                                                                                                                    • Instruction ID: 16ee740097ae8878b2d5a280b05c075b4a4fac6b74178603a474fa5899ebbc21
                                                                                                                    • Opcode Fuzzy Hash: 3082c567bab1cfc03b812409d3efd33b46720b7078ecca7aa6fa690aa44e095c
                                                                                                                    • Instruction Fuzzy Hash: EBE1B33190CA4D8FEBA8EF28D8597E97BE1FF54351F04426EE84DC7291CB7899408B81
                                                                                                                    Function 00007FF84895184E Relevance: .3, Instructions: 258COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e90765cec017c272059b728f91324d6a7220982961142ac3e3a9689690c4fb51
                                                                                                                    • Instruction ID: e73d0ead65861c1860468d272ff47212e4820715e9d5e3a5976cc9022f9b3aa7
                                                                                                                    • Opcode Fuzzy Hash: e90765cec017c272059b728f91324d6a7220982961142ac3e3a9689690c4fb51
                                                                                                                    • Instruction Fuzzy Hash: C9912B31D09A698FD7A9EF14C4987B9B7B1EF5A346F1005A9D00DE7292CB399AC4CF04
                                                                                                                    Function 00007FF848951E7E Relevance: .2, Instructions: 200COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: de5fd556e81699f0b44ee8308ee7da250a8f9ada79ccde82fc976ca94013d38d
                                                                                                                    • Instruction ID: 13031d4cde97f2c86251e9aca35cc66fdff644ebb57bfd1fa939a963786d0a50
                                                                                                                    • Opcode Fuzzy Hash: de5fd556e81699f0b44ee8308ee7da250a8f9ada79ccde82fc976ca94013d38d
                                                                                                                    • Instruction Fuzzy Hash: E4710831D09A298FDBA5EF2888897A9F7B1EF59341F5041E5D04DD7292CB34AAC5CF04
                                                                                                                    Function 00007FF848951E88 Relevance: .2, Instructions: 188COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e37ecd6ddbdf1d3fbe4fd0aa4954e0b92bd7c127f74e0779e62a4b66f349be8c
                                                                                                                    • Instruction ID: b79c1970701226f38b69166dfc72b34b25d00ab14704e188d0f7b6577678ef2d
                                                                                                                    • Opcode Fuzzy Hash: e37ecd6ddbdf1d3fbe4fd0aa4954e0b92bd7c127f74e0779e62a4b66f349be8c
                                                                                                                    • Instruction Fuzzy Hash: A0610931D09A298FEBA5EF28C8497A9B7B1EF59341F1041F9D00DD7292DB34AAC58F44
                                                                                                                    Function 00007FF848951EB6 Relevance: .2, Instructions: 175COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: aa69bb5725102a5dcc56d45ab95bc112d242827b18408b4b662d1b263d7af571
                                                                                                                    • Instruction ID: 464b8aeaad331d01e01364ceb0b1b197652e11d8dc816d91ad1aabb7b716a8b4
                                                                                                                    • Opcode Fuzzy Hash: aa69bb5725102a5dcc56d45ab95bc112d242827b18408b4b662d1b263d7af571
                                                                                                                    • Instruction Fuzzy Hash: 9951F671D09A2D9FDBA5EF2888897A9B7B1EB19341F1041E5D00DE7292DB34AAC5CF04
                                                                                                                    Function 00007FF848956058 Relevance: 4.3, Strings: 3, Instructions: 561COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: N_I$N_^$N_^
                                                                                                                    • API String ID: 0-3680607079
                                                                                                                    • Opcode ID: 500acaf9eb79722e2df5ed6537530c6a11521c126f47f94d4523f6402dce30a3
                                                                                                                    • Instruction ID: a7afe3d3dfb2e9a6235a74f65618b717da2ab961c84f84464dd452b07b349d08
                                                                                                                    • Opcode Fuzzy Hash: 500acaf9eb79722e2df5ed6537530c6a11521c126f47f94d4523f6402dce30a3
                                                                                                                    • Instruction Fuzzy Hash: BEF11827B0D9A24FD312BA6CB8491E9BF90EF817E6F0541B7D188CB097DE1C544683C9
                                                                                                                    Function 00007FF8489557E8 Relevance: 3.0, Strings: 2, Instructions: 464COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: N_^$N_^
                                                                                                                    • API String ID: 0-324526423
                                                                                                                    • Opcode ID: 5367e7fa2c69a1054eb8e429bc5e511110e385c155de1ee13fdd446feca96e69
                                                                                                                    • Instruction ID: 5451a2a05e48edcf4843303e971eed6a5af5fa3e0731ca942ed8f0611bef223d
                                                                                                                    • Opcode Fuzzy Hash: 5367e7fa2c69a1054eb8e429bc5e511110e385c155de1ee13fdd446feca96e69
                                                                                                                    • Instruction Fuzzy Hash: 59D11837A0EAA64FD355BB7CA8551ECBFD0DF423A6F0801BBD189CB093E91C544A8395
                                                                                                                    Function 00007FF848955730 Relevance: 2.8, Strings: 2, Instructions: 324COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: c$N_^
                                                                                                                    • API String ID: 0-768855989
                                                                                                                    • Opcode ID: af853f13444d7db100d53a78fb2b681e23bb1beeaede48e16cddfb85a410884c
                                                                                                                    • Instruction ID: c02ad01fc62257dc79b49ee314d0ece1d50fffa3081e3dce661858eeec984a5e
                                                                                                                    • Opcode Fuzzy Hash: af853f13444d7db100d53a78fb2b681e23bb1beeaede48e16cddfb85a410884c
                                                                                                                    • Instruction Fuzzy Hash: 5B91E627B0EAA61BE31176AC78561EC7F90CF832B6F0901B7D28DCA093ED0D545A92D5
                                                                                                                    Function 00007FF848957627 Relevance: 1.7, Strings: 1, Instructions: 473COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: E
                                                                                                                    • API String ID: 0-3568589458
                                                                                                                    • Opcode ID: a7003c1ff63357a80537a77054fd7f53c3c8a05554926f2e30470ed7f56066f2
                                                                                                                    • Instruction ID: 95950dd2164d2705029e425dc91a31b57431e9ed8f73982a3e5fca00f9afdb43
                                                                                                                    • Opcode Fuzzy Hash: a7003c1ff63357a80537a77054fd7f53c3c8a05554926f2e30470ed7f56066f2
                                                                                                                    • Instruction Fuzzy Hash: 6C81233290E99A5FE745EB6CD8592ECBFB0EF0A391F1401B6C008EB0D7DF2818868751
                                                                                                                    Function 00007FF848950C89 Relevance: .9, Instructions: 922COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ea0c190be58a17ad433c3c956422386329e0523eba7abd9df206ec7f75c2bc2b
                                                                                                                    • Instruction ID: ba7c35bf2d069b9d26e2337d8d8363b851d26ce856aa24ee113b39983151deee
                                                                                                                    • Opcode Fuzzy Hash: ea0c190be58a17ad433c3c956422386329e0523eba7abd9df206ec7f75c2bc2b
                                                                                                                    • Instruction Fuzzy Hash: F082277190992D8FDB99EB18C4987A9B7B1FF58349F6400F9C00ED7296CB35AA81CF14
                                                                                                                    Function 00007FF848958265 Relevance: .5, Instructions: 456COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8b87567c65e321a62961cc9917a53e7037958f2724b46b86eed4942c58adc0ef
                                                                                                                    • Instruction ID: 6ff75d043b0174c8f8228d34aac5d6291263374ac6be27a00e262c75ded952e0
                                                                                                                    • Opcode Fuzzy Hash: 8b87567c65e321a62961cc9917a53e7037958f2724b46b86eed4942c58adc0ef
                                                                                                                    • Instruction Fuzzy Hash: 0A02F830909A1D8FDB95EB68C498BA9BBF1FF19341F1440AAD00DE7292DB74A985DF04
                                                                                                                    Function 00007FF84895B679 Relevance: .4, Instructions: 414COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d0da65fe7c437f8cd7c3499a2f26d938f3642c9d9fb254c25256a6cae62ac81b
                                                                                                                    • Instruction ID: 7eef535d8d537e3efed88db7188f264fe0bdd73b71500584233a311a59ee66f4
                                                                                                                    • Opcode Fuzzy Hash: d0da65fe7c437f8cd7c3499a2f26d938f3642c9d9fb254c25256a6cae62ac81b
                                                                                                                    • Instruction Fuzzy Hash: 58D1C53190CA8D8FEB68EF28D8557E97BE1FF54351F04426EE84DC7291CB74A9448B82
                                                                                                                    Function 00007FF848952FFA Relevance: .4, Instructions: 380COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 31087bc23f943145f5461648bb1732b26c29288ac130183be8642f58af95887e
                                                                                                                    • Instruction ID: 562ea39585aa8f731738483b92b6dfcafbe81dd1e3fbb686adff636d922c8b60
                                                                                                                    • Opcode Fuzzy Hash: 31087bc23f943145f5461648bb1732b26c29288ac130183be8642f58af95887e
                                                                                                                    • Instruction Fuzzy Hash: D6B14537A0E9A25AE301BB7CB4955EC7B90DF83ABAF084173D1CDCD083DD1D649A9294
                                                                                                                    Function 00007FF84895673B Relevance: .4, Instructions: 353COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 21d0ff91bebc798413bcdd852a864ee5c3ff3248dcb48b5c439640bad1a7bf11
                                                                                                                    • Instruction ID: ae7c5fd2fa1396dc45c2046c27d03299c45a4fec0bbf562aea23af885055ce9e
                                                                                                                    • Opcode Fuzzy Hash: 21d0ff91bebc798413bcdd852a864ee5c3ff3248dcb48b5c439640bad1a7bf11
                                                                                                                    • Instruction Fuzzy Hash: 9DC14C7190DE8A4FE796EF288859AA5BFE0FF153D1F0401F9D449CB193EB28A845C784
                                                                                                                    Function 00007FF848A40000 Relevance: .3, Instructions: 348COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2167437163.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848a40000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 516c6a640b2505affc1f53ab6fe5d627e2afe19a31dd34c688d2a182016de320
                                                                                                                    • Instruction ID: 3266ea330a5f1b2eb99339adc864d5eafe3980fd101f2ed8cfef56e69b082b8a
                                                                                                                    • Opcode Fuzzy Hash: 516c6a640b2505affc1f53ab6fe5d627e2afe19a31dd34c688d2a182016de320
                                                                                                                    • Instruction Fuzzy Hash: D6A11930A0DB894FD79AEB2C98555747FE1EF9AB50F0601FBD089C71A3DE58AC068352
                                                                                                                    Function 00007FF84895C536 Relevance: .3, Instructions: 333COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 949946b4bd8e8bb28c7fec598be4ceeb5983bedb04bd7587a524b58be3a31ab0
                                                                                                                    • Instruction ID: b6b38fab55c30c91dd144cdd4ff507a704d7d8a3abffee1cdd0f8d4b144ba8f4
                                                                                                                    • Opcode Fuzzy Hash: 949946b4bd8e8bb28c7fec598be4ceeb5983bedb04bd7587a524b58be3a31ab0
                                                                                                                    • Instruction Fuzzy Hash: 96B1D33050CA8D8FDB68EF2898557E97BE1FF55351F04426AE84DC7292CB3899448B86
                                                                                                                    Function 00007FF84895D7BE Relevance: .3, Instructions: 315COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b08468c2b5a88264f00680dc458fdd8236be1b106d59572319fe3923f65645d8
                                                                                                                    • Instruction ID: 55ab3413185b21bbdefb87023afc60c6e455ab774636bac08eab437ddd85ff8a
                                                                                                                    • Opcode Fuzzy Hash: b08468c2b5a88264f00680dc458fdd8236be1b106d59572319fe3923f65645d8
                                                                                                                    • Instruction Fuzzy Hash: DCB1A470A1895D8FDF94EF58C898BA9BBF1FF69301F1441AAD00DE7261DB30A985CB41
                                                                                                                    Function 00007FF848956F68 Relevance: .3, Instructions: 310COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2d820a510fca8d30e4ca70ab15042fde5d1248c677a07d9d1cd781dcb2516ffa
                                                                                                                    • Instruction ID: 04f393a1e9f6d089ea21a5a54ec197070ac386ae65adc90e02ed3c2c932e0e53
                                                                                                                    • Opcode Fuzzy Hash: 2d820a510fca8d30e4ca70ab15042fde5d1248c677a07d9d1cd781dcb2516ffa
                                                                                                                    • Instruction Fuzzy Hash: DF914632E0DE495FE759EB7C98492B9BFE1EB55751F0401BFD049C3197DE2898068384
                                                                                                                    Function 00007FF84895337D Relevance: .3, Instructions: 295COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 54507ab82c59b85c2f233b7359aabb73f224a7bac9bc360144256439b8d9aef1
                                                                                                                    • Instruction ID: 1794c640909249683715a25492edef757135456f1e0f05722acf2fdce8b42634
                                                                                                                    • Opcode Fuzzy Hash: 54507ab82c59b85c2f233b7359aabb73f224a7bac9bc360144256439b8d9aef1
                                                                                                                    • Instruction Fuzzy Hash: 92A16C3190DA1D8FDBA8EF28C4447A8B7B1FF5A341F6041BAD00EE7281CB35A985CB45
                                                                                                                    Function 00007FF848951B2F Relevance: .3, Instructions: 251COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1023bc081af4d71f1b44f59299bfd86a45fb428c6231e607bd809c26ebd60f7e
                                                                                                                    • Instruction ID: d0df8d5ee94b4b0f5cf4c62f20be0e703c3e842f8f0bc68b0119d8afb80dbd88
                                                                                                                    • Opcode Fuzzy Hash: 1023bc081af4d71f1b44f59299bfd86a45fb428c6231e607bd809c26ebd60f7e
                                                                                                                    • Instruction Fuzzy Hash: 07A1053190962D8FDBA5EF18C8847A9B7B1EF59345F5041E9D049E7292CB74AEC5CF00
                                                                                                                    Function 00007FF84895946C Relevance: .2, Instructions: 195COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1e8a9308404787cc95bc2b0157ed59fc14c2a94f334c68459ce77b84c96ab4e5
                                                                                                                    • Instruction ID: cb75dc9d6229c6c325f23b7b4b8f936c81b33784c38e5d8124476f124486a7ac
                                                                                                                    • Opcode Fuzzy Hash: 1e8a9308404787cc95bc2b0157ed59fc14c2a94f334c68459ce77b84c96ab4e5
                                                                                                                    • Instruction Fuzzy Hash: 04518231918A1C8FEF59EF58D845BE9BBF1FB59310F0082AAD44DD3252DF34A9858B81
                                                                                                                    Function 00007FF8489559E8 Relevance: .2, Instructions: 158COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: be066e7a7bb6af3d2022e4b62b1d9acd989780765c0e3c1260026662d36ea3a6
                                                                                                                    • Instruction ID: eab0245d0218f9d8301fbe1de908680800a14ae02e7b282adba6c719e60facd2
                                                                                                                    • Opcode Fuzzy Hash: be066e7a7bb6af3d2022e4b62b1d9acd989780765c0e3c1260026662d36ea3a6
                                                                                                                    • Instruction Fuzzy Hash: 0B512D36C0DA4A8FE799EF2488451A8BFE0EF55392F1401BDD049D71D3EB28A845C755
                                                                                                                    Function 00007FF848A404DE Relevance: .1, Instructions: 148COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2167437163.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848a40000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d8829bc0a5aad856a8088e15f4d6b9cf7d20094adcf32d103997473fb1dcee6b
                                                                                                                    • Instruction ID: e658bbcd856a7133cd46c90f1f13d676e3802c38e1d34879f2aaa14e226ad4dd
                                                                                                                    • Opcode Fuzzy Hash: d8829bc0a5aad856a8088e15f4d6b9cf7d20094adcf32d103997473fb1dcee6b
                                                                                                                    • Instruction Fuzzy Hash: FD412631A0EAC54FE786FB3C489A5747FE1EF5A65070941FBC049C72A3DA589C46C352
                                                                                                                    Function 00007FF84895E6D9 Relevance: .1, Instructions: 135COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5fd2b9dcb7e4e17100ba95257cb6440e72a1c26dc5e976fd2f41ab1259cc7c69
                                                                                                                    • Instruction ID: 260fb5e61f5ccf15ed79c06f8de7a80f2177573b2ed96f07cf86bd25dc1a0572
                                                                                                                    • Opcode Fuzzy Hash: 5fd2b9dcb7e4e17100ba95257cb6440e72a1c26dc5e976fd2f41ab1259cc7c69
                                                                                                                    • Instruction Fuzzy Hash: 6D41E731D0890E9FDB88EF68D855ABEBBB1FF59301F140469E00AE7291DB35A841CB54
                                                                                                                    Function 00007FF848957A45 Relevance: .1, Instructions: 122COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 253309df0da38910b8fe5f162c4d5c93455e8b131acf725e89015fb836e9c33b
                                                                                                                    • Instruction ID: f14a9ad8c81bd1ae68a32c589c87792e0b0a26a5b65e8f61d011b73695f15d0e
                                                                                                                    • Opcode Fuzzy Hash: 253309df0da38910b8fe5f162c4d5c93455e8b131acf725e89015fb836e9c33b
                                                                                                                    • Instruction Fuzzy Hash: 0641DC3190DA5D9FDB45EF68C8446EDBBF1FF0A341F1401AAD008EB292CB38A985CB54
                                                                                                                    Function 00007FF84895D1FC Relevance: .1, Instructions: 111COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2377bca61b3f078f8f57502d088f1c3825af42f651ed61fb82ffac911ed93068
                                                                                                                    • Instruction ID: dc2f5079eb34947088c5f239aed7ddf300025216355d73498057460a1cb42956
                                                                                                                    • Opcode Fuzzy Hash: 2377bca61b3f078f8f57502d088f1c3825af42f651ed61fb82ffac911ed93068
                                                                                                                    • Instruction Fuzzy Hash: 7841C231D19A1DDFDB94EFA8D459AACBBB1FF59342F540079D009E7291DB38A881CB04
                                                                                                                    Function 00007FF8489582F8 Relevance: .1, Instructions: 107COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c12f4646b08b4b3153804d8c62db5ea422f5566fcbffa4ef282ceffff0bdf8a4
                                                                                                                    • Instruction ID: 8d3001aee28258c73cd0e67e9af66fe63ea27c2479e90a701065da1e53470ca7
                                                                                                                    • Opcode Fuzzy Hash: c12f4646b08b4b3153804d8c62db5ea422f5566fcbffa4ef282ceffff0bdf8a4
                                                                                                                    • Instruction Fuzzy Hash: 85317731D09A5C8FDBA8EF28C8547E9BBB1FF59342F5040A9D00DE7291DB346984DB00
                                                                                                                    Function 00007FF848957C51 Relevance: .1, Instructions: 102COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 859026c4298d5ccd4e4bf2e970f78973de1d2f04114b3a6e64ee31118e430a85
                                                                                                                    • Instruction ID: 34fb9787911d2d97bbd95546069263a3da90f0e107f28df4aa039eed7b8a4adc
                                                                                                                    • Opcode Fuzzy Hash: 859026c4298d5ccd4e4bf2e970f78973de1d2f04114b3a6e64ee31118e430a85
                                                                                                                    • Instruction Fuzzy Hash: AF31CF31A0AA5D9FDB41EF68C8446EDBBF1FF4A341F1441A6D008DB292CB38E985CB51
                                                                                                                    Function 00007FF848956E2D Relevance: .1, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 71bc6d73e9e348792c90ee84aea5cd85d0488e880d9d67409fc53ef25da746ff
                                                                                                                    • Instruction ID: c564ef93908aae0cdd6f96221299932e91d8b35ee0794cd180bb7b008e4b5b93
                                                                                                                    • Opcode Fuzzy Hash: 71bc6d73e9e348792c90ee84aea5cd85d0488e880d9d67409fc53ef25da746ff
                                                                                                                    • Instruction Fuzzy Hash: EF210813D0ED921FE756AA687C0D274EF91EF912D3F4941BAC048C719BEE5CA90A4388
                                                                                                                    Function 00007FF8489549F1 Relevance: .1, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 544dd23636cbf7c44e85049083728294a12a58ba2c17b073ed02aea7cd7e5358
                                                                                                                    • Instruction ID: 7e181eac929636827b92087f571bb0ba8155f3aaa4a12a97a471b52375ae8ebb
                                                                                                                    • Opcode Fuzzy Hash: 544dd23636cbf7c44e85049083728294a12a58ba2c17b073ed02aea7cd7e5358
                                                                                                                    • Instruction Fuzzy Hash: 07314C31609A0D8FDB84EF28C455BA9B7A2FF4A345F6545B8D00DCB282CF36E856CB00
                                                                                                                    Function 00007FF8489547CD Relevance: .1, Instructions: 84COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: eeb1dbd1c04f259665cb05de8c1c6dc6ad33ea341a060320bdc28ac57d727c47
                                                                                                                    • Instruction ID: 73c800c1c62dfe8008fb9dd81c3771b15bdfe6ca83cfdaa13317f9594b09095c
                                                                                                                    • Opcode Fuzzy Hash: eeb1dbd1c04f259665cb05de8c1c6dc6ad33ea341a060320bdc28ac57d727c47
                                                                                                                    • Instruction Fuzzy Hash: D62124B2D0DDD69FE345AE3858182B9BFA0FF51641F1400BAD058C7093DB28A859C384
                                                                                                                    Function 00007FF848954EFA Relevance: .1, Instructions: 84COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f3d4914944d964dc0200f1301ef6e8c91baafd12eaeaf9cf1126fbc32062b170
                                                                                                                    • Instruction ID: 3d073e21acdf3d1a3d0e9daceb012792524203ccc91ada2d06756f2727d6823d
                                                                                                                    • Opcode Fuzzy Hash: f3d4914944d964dc0200f1301ef6e8c91baafd12eaeaf9cf1126fbc32062b170
                                                                                                                    • Instruction Fuzzy Hash: DF21D772A0D7994FC702EF68E8A15DABFE0FF85361B0501BBE448C7293CA788855C795
                                                                                                                    Function 00007FF848957DC1 Relevance: .1, Instructions: 82COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3d530ad12cad9ee127cd99c251374f51243efe1cf0e9d058cc337b707afbf84e
                                                                                                                    • Instruction ID: bb72efb9e17dcb3d937b72a5f0e397fe119ea3a18647cc227ae3093e4bb5743f
                                                                                                                    • Opcode Fuzzy Hash: 3d530ad12cad9ee127cd99c251374f51243efe1cf0e9d058cc337b707afbf84e
                                                                                                                    • Instruction Fuzzy Hash: 7C213931D19A5D9FEB80EBA8C4596EDBBF0FF58301F040076E008E7252DB34A955CB44
                                                                                                                    Function 00007FF84895483D Relevance: .1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 13735c0f2276dba1eebdabead0b63954cbd499c6d686a9f1147135c65017e77b
                                                                                                                    • Instruction ID: 30590954f308d6400e6395df4994e9cc27172707600d1f75490da4b19c9fea77
                                                                                                                    • Opcode Fuzzy Hash: 13735c0f2276dba1eebdabead0b63954cbd499c6d686a9f1147135c65017e77b
                                                                                                                    • Instruction Fuzzy Hash: 7011C273A0D99A4FE750FF28A8992F9BFA0EF42255F050576E148C7093DE295455C384
                                                                                                                    Function 00007FF84895D132 Relevance: .1, Instructions: 54COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: adec79f8fb88c3ac68531cd8e00db2cdb136dd77da17db36c2928f56139f5716
                                                                                                                    • Instruction ID: 003645d372641eb4e99d476bd4ed2f07c65f7f37e36006e5ec66b56bd74f2d34
                                                                                                                    • Opcode Fuzzy Hash: adec79f8fb88c3ac68531cd8e00db2cdb136dd77da17db36c2928f56139f5716
                                                                                                                    • Instruction Fuzzy Hash: B3118031A1991DDFDF84EF98D484AEDBBB1FF59342F54046AE009E7261CB35A881CB10
                                                                                                                    Function 00007FF848953B7D Relevance: .1, Instructions: 54COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ebe04c2757bdbb022872f1897b5b976b3ae8fc4e3b321f14e61319de26cfa35e
                                                                                                                    • Instruction ID: e3fbf8e8d27565593bf74ba40bc2ce24dbe2d47248e6db8abc11c86fdfa79daa
                                                                                                                    • Opcode Fuzzy Hash: ebe04c2757bdbb022872f1897b5b976b3ae8fc4e3b321f14e61319de26cfa35e
                                                                                                                    • Instruction Fuzzy Hash: B411AC31D0DA498FDB04EF68C4592FDBBF0EF4A341F4002B5D009D7182DB3865589B55
                                                                                                                    Function 00007FF848956E93 Relevance: .0, Instructions: 7COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000D.00000002.2166171084.00007FF848950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848950000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_13_2_7ff848950000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                    • Instruction ID: bdc3d521ffa3967f5d8071c73c6c3193aa6f3cf689e67c15a514e356e9a058eb
                                                                                                                    • Opcode Fuzzy Hash: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                    • Instruction Fuzzy Hash: 4BA00203ACE86E05D48534AE78460D8F744C7951F2FC52572ED0DC454AD98E19D60289

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF84898C9C0 Relevance: 3.6, Strings: 2, Instructions: 1111COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: oG_H$qG_
                                                                                                                    • API String ID: 0-1968974505
                                                                                                                    • Opcode ID: 2ebf8636c74ed8e08006e6290af3db8203689b9f2b748718ed2546c72e80c246
                                                                                                                    • Instruction ID: b3e031841e2230b419bf721fa82375aabead4088ac0f031df78c562979872c9e
                                                                                                                    • Opcode Fuzzy Hash: 2ebf8636c74ed8e08006e6290af3db8203689b9f2b748718ed2546c72e80c246
                                                                                                                    • Instruction Fuzzy Hash: 3E725C30A1CD498FEB98EF1CC859BA97BE1FFA8395F140279E44DD7291CB29E8418744
                                                                                                                    Function 00007FF848970C58 Relevance: 2.2, Instructions: 2150COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7c08ead6ea2387a634a026ac7ce98cfa6f137da619a17af391f89cb298b3e302
                                                                                                                    • Instruction ID: d1dba60d465def3e7027f406d928bd8f1516fd63c96d41ea650cfbc1957a8e3f
                                                                                                                    • Opcode Fuzzy Hash: 7c08ead6ea2387a634a026ac7ce98cfa6f137da619a17af391f89cb298b3e302
                                                                                                                    • Instruction Fuzzy Hash: AA032970D09A198FEBA9EB18C4987A9B7B1FF59341F1441F9D00ED7292CB35A982CF14
                                                                                                                    Function 00007FF848981CE0 Relevance: .4, Instructions: 433COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 358769e714c0a9de2dd66f001e40a19e899c636a16ffc0f388f9bd7a2d6f1638
                                                                                                                    • Instruction ID: 3ed9bdfc100a39e9c9ba685429f33de678163c2149759d527cf98201ea5c4f15
                                                                                                                    • Opcode Fuzzy Hash: 358769e714c0a9de2dd66f001e40a19e899c636a16ffc0f388f9bd7a2d6f1638
                                                                                                                    • Instruction Fuzzy Hash: 98D12B31E1CE874FE35AEB6894593B67FE1EF92741F0441BAD08AC7193DF28A8068345
                                                                                                                    Function 00007FF848974C41 Relevance: .4, Instructions: 400COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 77384b4f000219ede36709fdaaad50db3bca9daa85154d0fbd4f8878f49ac4c3
                                                                                                                    • Instruction ID: b54594a1b7248af4b015211c80ee8d419b5515e56d6744e30f290f57800b34c1
                                                                                                                    • Opcode Fuzzy Hash: 77384b4f000219ede36709fdaaad50db3bca9daa85154d0fbd4f8878f49ac4c3
                                                                                                                    • Instruction Fuzzy Hash: 6CD16D71E0DA49CFEB94EB6888596B9BBB1FF55381F1401B9D00DD7292DF386882CB44
                                                                                                                    Function 00007FF84898C910 Relevance: .4, Instructions: 383COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a42162dadbee9349e99154c41e3ca004e3ee809d71a6a4dc9fa08880417fc4b1
                                                                                                                    • Instruction ID: 9cfb15d05e1507a9178c659a96d388088a356b05117fce1267827464afbd6e29
                                                                                                                    • Opcode Fuzzy Hash: a42162dadbee9349e99154c41e3ca004e3ee809d71a6a4dc9fa08880417fc4b1
                                                                                                                    • Instruction Fuzzy Hash: A8C16031A1CE4E8FDBD4EF2CC459AA93BE1FF69351F04017AE449D7291DB29E8418784
                                                                                                                    Function 00007FF848991BEE Relevance: .4, Instructions: 356COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3db5e5c72a79ef05a51a4457cb8a3ea8735b0516584555999a1958dde3949220
                                                                                                                    • Instruction ID: 476b7e47ac0d48ebeb70fa4e676f050b9dc8222cbe0982f5e4ee44ed95ae599d
                                                                                                                    • Opcode Fuzzy Hash: 3db5e5c72a79ef05a51a4457cb8a3ea8735b0516584555999a1958dde3949220
                                                                                                                    • Instruction Fuzzy Hash: 85D1913061DF458FD759DB28C084AA2BFE1FF65305F0486AED49AC7292DB34E449CB85
                                                                                                                    Function 00007FF84898B285 Relevance: .3, Instructions: 262COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 88171353f966687d55f04d6a2493e4834b42cb48313b56f9f2a543910edd2a9e
                                                                                                                    • Instruction ID: d8fb3fb3bd5b06a9c6ef4753e69c9b5edf951834870fb5700f333cb0c353e2ed
                                                                                                                    • Opcode Fuzzy Hash: 88171353f966687d55f04d6a2493e4834b42cb48313b56f9f2a543910edd2a9e
                                                                                                                    • Instruction Fuzzy Hash: C1A12870D19A1A8FDB68EF58D855BACBBB1FF58341F1401BAC00EE7292DB346985CB44
                                                                                                                    Function 00007FF848974DC8 Relevance: .2, Instructions: 222COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 935e0fe8cd335724a3cdeb8a943a6bd50f976b0d02bbce62f54e411b56fac8dd
                                                                                                                    • Instruction ID: dd28d193f501d2189e3cf47d40fbd7b3e08095a896e82ceb167534d05ec908b0
                                                                                                                    • Opcode Fuzzy Hash: 935e0fe8cd335724a3cdeb8a943a6bd50f976b0d02bbce62f54e411b56fac8dd
                                                                                                                    • Instruction Fuzzy Hash: D2715970D0DA4ACFEB98EA6884587B9BBB1FF55381F5040B9D00DD7292CF396882CB44
                                                                                                                    Function 00007FF84898CEED Relevance: 10.4, Strings: 8, Instructions: 407COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: )$,$/$X$X$]$x$}
                                                                                                                    • API String ID: 0-3461455369
                                                                                                                    • Opcode ID: c7820fd36747a630a30235545963bf935e7f72bd1f4257bd8b0a8965fc98ce47
                                                                                                                    • Instruction ID: cf515117936a8cf736962dd4543930948ccb4a1265a2896794e59bbb544fd2b9
                                                                                                                    • Opcode Fuzzy Hash: c7820fd36747a630a30235545963bf935e7f72bd1f4257bd8b0a8965fc98ce47
                                                                                                                    • Instruction Fuzzy Hash: 14C13521A0CB890FE35AAB2898552B47FE1EF82351F1641BFC08AC71D7DA1A6C878355
                                                                                                                    Function 00007FF84898D304 Relevance: 1.8, Strings: 1, Instructions: 582COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: dK_H
                                                                                                                    • API String ID: 0-2901103952
                                                                                                                    • Opcode ID: 3016b92b4719442f7f2ecb351a80c0c924152f966baaed7f328d9741fbda8b6c
                                                                                                                    • Instruction ID: 63da94dd7e66c050a2d53a842b70eabcb9e1a8ac6ed9105fad231b4c0f978b17
                                                                                                                    • Opcode Fuzzy Hash: 3016b92b4719442f7f2ecb351a80c0c924152f966baaed7f328d9741fbda8b6c
                                                                                                                    • Instruction Fuzzy Hash: B502D630A1CE498FE799EB28D4586B97BE1FF95301F14416ED48EC3296DF24E846C781
                                                                                                                    Function 00007FF848983B18 Relevance: 1.7, Strings: 1, Instructions: 433COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d
                                                                                                                    • API String ID: 0-2564639436
                                                                                                                    • Opcode ID: e658e5303656ab742a75e3d260d09fe0f69a30ffb0d6c4df28ae0a64712db957
                                                                                                                    • Instruction ID: 2b2cfa551b9d38121477db2591ae88babf6bca6913f2b2879df1c428356d859c
                                                                                                                    • Opcode Fuzzy Hash: e658e5303656ab742a75e3d260d09fe0f69a30ffb0d6c4df28ae0a64712db957
                                                                                                                    • Instruction Fuzzy Hash: A5D1E030A2CF468FD318EB1C94455BAB7E0FF95355F14467ED08AC3296DA35F8428B85
                                                                                                                    Function 00007FF848985399 Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: _
                                                                                                                    • API String ID: 0-701932520
                                                                                                                    • Opcode ID: 2c4b2bf1f5e34f156366681d7c7304fcef33d1eb4f403c4fda2809315ea54cd5
                                                                                                                    • Instruction ID: c0383a057caf6d14dfea55622116dceb7023a26f34af570fc0b69434fdf12423
                                                                                                                    • Opcode Fuzzy Hash: 2c4b2bf1f5e34f156366681d7c7304fcef33d1eb4f403c4fda2809315ea54cd5
                                                                                                                    • Instruction Fuzzy Hash: F1C12E63A1EE8B0FE795B72C68591F57FD1EF422A5F0502B7C049CB093EE09984B4395
                                                                                                                    Function 00007FF84898447A Relevance: 1.7, Strings: 1, Instructions: 409COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d
                                                                                                                    • API String ID: 0-2564639436
                                                                                                                    • Opcode ID: 4c25e09159b50f194be828da86655b2a625a057ebe42aee45fa5c0f36e97b639
                                                                                                                    • Instruction ID: 67a2e495f22a3956e585eb8e0231bd3ebd81832aaae67f8fcd17c51e2f054b5c
                                                                                                                    • Opcode Fuzzy Hash: 4c25e09159b50f194be828da86655b2a625a057ebe42aee45fa5c0f36e97b639
                                                                                                                    • Instruction Fuzzy Hash: 91C11330A2CF8A4FD759EB188448575BBE1FF95381F1446BED08AC3296DB35F8428785
                                                                                                                    Function 00007FF8489803C5 Relevance: 1.6, Strings: 1, Instructions: 339COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: d
                                                                                                                    • API String ID: 0-2564639436
                                                                                                                    • Opcode ID: 667f8419093ae8f1e386aefd7a3384384b8b78187b3ec8ceb78ac7f9d3af9e62
                                                                                                                    • Instruction ID: e73591a1d8f594d180686e7188f06615a4f6ad5289db5c3f232ff2f1c308a840
                                                                                                                    • Opcode Fuzzy Hash: 667f8419093ae8f1e386aefd7a3384384b8b78187b3ec8ceb78ac7f9d3af9e62
                                                                                                                    • Instruction Fuzzy Hash: 1CB1DD30A2CF0A8FD768EB18D495539B7E1FF98341B144A7DD48AC3296DA35F8438B85
                                                                                                                    Function 00007FF84898FA29 Relevance: 1.5, Strings: 1, Instructions: 279COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: BK_H
                                                                                                                    • API String ID: 0-699573682
                                                                                                                    • Opcode ID: 71127a16d2d78c33a24671204cf2268868f7bab71581428c57e21dbcc41797cb
                                                                                                                    • Instruction ID: 6ac717d959675b8db5b50a0d289106a5ffb6e2a5169b58ca914abf062e8c2c82
                                                                                                                    • Opcode Fuzzy Hash: 71127a16d2d78c33a24671204cf2268868f7bab71581428c57e21dbcc41797cb
                                                                                                                    • Instruction Fuzzy Hash: 6F91F571D1DE8E8FDB85EF6C8858AA97BE1FF59341F0401AAD809DB296DB389C05C740
                                                                                                                    Function 00007FF84897C65D Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: h w
                                                                                                                    • API String ID: 0-4164426182
                                                                                                                    • Opcode ID: 3ec58834f17d9d9cdd05a16da396dc1524fcd7b0a447e4c21407d4af4a0cba73
                                                                                                                    • Instruction ID: 4e1c79894e96fe109acd84260d4edd22ad953815535b028e3d6e0f55127ff807
                                                                                                                    • Opcode Fuzzy Hash: 3ec58834f17d9d9cdd05a16da396dc1524fcd7b0a447e4c21407d4af4a0cba73
                                                                                                                    • Instruction Fuzzy Hash: 57515030B1CC0A8FE6A8EA1CD45977977D1FF59742F1400B9E48FC72A2DE25AC428785
                                                                                                                    Function 00007FF84897CDF3 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: vL_^
                                                                                                                    • API String ID: 0-2808113552
                                                                                                                    • Opcode ID: 0c8d2d25b2d6f48d739d13dce398e050be45b6515d996ba882d3eb3a346ad33c
                                                                                                                    • Instruction ID: 2463e751c5440e9fc6999c9a10b8197d03c11cc73491cea0c7d5089bef7f967d
                                                                                                                    • Opcode Fuzzy Hash: 0c8d2d25b2d6f48d739d13dce398e050be45b6515d996ba882d3eb3a346ad33c
                                                                                                                    • Instruction Fuzzy Hash: 04411631E1CE49CFE768AA2CA81D1797BE1EF99766F0401BBE049C3293DE146C028785
                                                                                                                    Function 00007FF848985A1A Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: kq
                                                                                                                    • API String ID: 0-1161455450
                                                                                                                    • Opcode ID: 5ed8da3543e507c35f4d076f5516b4cb22325e0cf61983988681b7e0b1229d9f
                                                                                                                    • Instruction ID: 5631e9ea2a2591519f2c249920206765e524cf7ea2f3bae509f1f99a25bc6378
                                                                                                                    • Opcode Fuzzy Hash: 5ed8da3543e507c35f4d076f5516b4cb22325e0cf61983988681b7e0b1229d9f
                                                                                                                    • Instruction Fuzzy Hash: 5D410321A1DE8A0FF799B72C58882747BD1EF96392F1800BAD00DC72D3DD199C458359
                                                                                                                    Function 00007FF848989634 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: yb_H
                                                                                                                    • API String ID: 0-956606333
                                                                                                                    • Opcode ID: 7887d91a8097011487dc5a7386cb1a42c39f0c7afc455693a97d9398fd6d3162
                                                                                                                    • Instruction ID: 5d15ae122fc71b52c26f3a1251cf0b093805c6e1d128a1f985e4c6626b7a681d
                                                                                                                    • Opcode Fuzzy Hash: 7887d91a8097011487dc5a7386cb1a42c39f0c7afc455693a97d9398fd6d3162
                                                                                                                    • Instruction Fuzzy Hash: 374107A1A1D9864FE7A6EB28888D7B97FE1EF95341F0805FDD04DCB1A2DB246806C305
                                                                                                                    Function 00007FF84898549D Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: _
                                                                                                                    • API String ID: 0-701932520
                                                                                                                    • Opcode ID: f4411c5daa7e77c517a8083f42cfd1ad65d74362c06318ac1fa559a75108df31
                                                                                                                    • Instruction ID: a95bbf9cc69d462641480b4592834a0d31ac1c76231b626917cb5285f638de4e
                                                                                                                    • Opcode Fuzzy Hash: f4411c5daa7e77c517a8083f42cfd1ad65d74362c06318ac1fa559a75108df31
                                                                                                                    • Instruction Fuzzy Hash: 5C310531B1DE4B0FEBD8A71CA8196757BD1FB55362F4401BAE40DC7192EE19EC468344
                                                                                                                    Function 00007FF84897DE20 Relevance: .5, Instructions: 546COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f021d7d7667bdd3d3858605a97afd6482462d13fbe4fe7f11affb21f77e08eee
                                                                                                                    • Instruction ID: 52a4c4cee3ecc7b3d0475fb993ef4a4588e8010064da70ed1c3bd1194b0dc313
                                                                                                                    • Opcode Fuzzy Hash: f021d7d7667bdd3d3858605a97afd6482462d13fbe4fe7f11affb21f77e08eee
                                                                                                                    • Instruction Fuzzy Hash: 80F12831F1CE4A8FE758EB2C94596787BE1FF95B51F0401BAD04EC3296DE28AC428746
                                                                                                                    Function 00007FF8489955CD Relevance: .5, Instructions: 543COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7702e1e179f84f67c9de5d1e75972490b61866ca94834b5f390696620c6a42aa
                                                                                                                    • Instruction ID: b4cfbdfb27f204c0bc366ec7d7469040a1ca88d03d5e43490051351fc5845ca1
                                                                                                                    • Opcode Fuzzy Hash: 7702e1e179f84f67c9de5d1e75972490b61866ca94834b5f390696620c6a42aa
                                                                                                                    • Instruction Fuzzy Hash: 05F1F621E1CE4A8FEB98BB2C54592797FD1EF99755F4801BAD40DC72C3DE28AC428385
                                                                                                                    Function 00007FF848990EA1 Relevance: .5, Instructions: 529COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 148fa66c317869e79be0fba8b123fa59223085e31bd21ebbf15fb5adff85491d
                                                                                                                    • Instruction ID: b08821ef6098d805b17c0cd227bb23ea637b9cf8cbfefb0764cc57e2caa0359c
                                                                                                                    • Opcode Fuzzy Hash: 148fa66c317869e79be0fba8b123fa59223085e31bd21ebbf15fb5adff85491d
                                                                                                                    • Instruction Fuzzy Hash: 01E15931A1CD495FEB98FB2C98496B93BD1FF55785F0001BAD84EC7297DE28AC428385
                                                                                                                    Function 00007FF8489871ED Relevance: .5, Instructions: 488COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 90155e7b33025d9d5dea623232abcac33fce6ddec234cf98e9c2c96c810754ca
                                                                                                                    • Instruction ID: 6dc56007f04b648685a956050a313a2a054c7c1e65bb924d2038810026f09ec5
                                                                                                                    • Opcode Fuzzy Hash: 90155e7b33025d9d5dea623232abcac33fce6ddec234cf98e9c2c96c810754ca
                                                                                                                    • Instruction Fuzzy Hash: 18F1C470A2CE4A9FE758FB2D8449679BBE2FF94341F14457EE04DC3292DF24A8418742
                                                                                                                    Function 00007FF84898FD02 Relevance: .5, Instructions: 483COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 90c4ca315442d4f19c73d9e3df4bd072e3cc2f81eac4b8de55be46b88d42e4e2
                                                                                                                    • Instruction ID: 26b735af080f4327e69cce1a1fc45bbdc9db86c2e224c20d6685c3aa48b5639b
                                                                                                                    • Opcode Fuzzy Hash: 90c4ca315442d4f19c73d9e3df4bd072e3cc2f81eac4b8de55be46b88d42e4e2
                                                                                                                    • Instruction Fuzzy Hash: 3CE13771E2DD8A5FEB95FB2C98596B83FD1EF55784F0800BAC40DC7287DE28A8068344
                                                                                                                    Function 00007FF848990291 Relevance: .4, Instructions: 442COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3e8b295a0960f52429c2bbdfce3e38065af9ccf2de459eba3fe0c652cc2ac17f
                                                                                                                    • Instruction ID: 15a5835497c3b28e679471b885abd84e2700647c2f0202f876f5a645c4666614
                                                                                                                    • Opcode Fuzzy Hash: 3e8b295a0960f52429c2bbdfce3e38065af9ccf2de459eba3fe0c652cc2ac17f
                                                                                                                    • Instruction Fuzzy Hash: B3D14B31E1CD8A9FEB85FB2898556B87BE1FF95795F0401B9D04DC3287DE28AC428345
                                                                                                                    Function 00007FF8489954DC Relevance: .4, Instructions: 441COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a788fc48689891561023b1b0ce92d372c791e18902b16ab30eb491d8bf3ac31d
                                                                                                                    • Instruction ID: 923abb265c74a532245df385ffb57f57496aa4267a34acf56b8f4253f1955af7
                                                                                                                    • Opcode Fuzzy Hash: a788fc48689891561023b1b0ce92d372c791e18902b16ab30eb491d8bf3ac31d
                                                                                                                    • Instruction Fuzzy Hash: B5C1F330B1CE494FEBD8FB2C94592793BD2EF99755B4501BAD40DC7392DE28AC028385
                                                                                                                    Function 00007FF84897D9E9 Relevance: .4, Instructions: 433COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5e537128cdbe72bc37e39aef5642ac45e119839b78de6e7299d5f3536a0da4fa
                                                                                                                    • Instruction ID: 076a7d731a1f9c95767e4dc4c26eba7901100bb2ad479188423293c749bd4cd1
                                                                                                                    • Opcode Fuzzy Hash: 5e537128cdbe72bc37e39aef5642ac45e119839b78de6e7299d5f3536a0da4fa
                                                                                                                    • Instruction Fuzzy Hash: 18C1243160CF498FDB58EA28D8456A5BBE0FFA5351F08027FD04DC3292DF66E8468782
                                                                                                                    Function 00007FF84898C950 Relevance: .4, Instructions: 412COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cdc28a1092c628138e6c95b160c44e5c0ea9b5a12de049384b9556367502827d
                                                                                                                    • Instruction ID: ea3396c6d628fff247de192339c67237350c11198e961957db15ada28d08bca4
                                                                                                                    • Opcode Fuzzy Hash: cdc28a1092c628138e6c95b160c44e5c0ea9b5a12de049384b9556367502827d
                                                                                                                    • Instruction Fuzzy Hash: CEC1F430A1CE498FDB94FF2898495B97FE1EF99355F0401BAE40EC7292DE24AC458785
                                                                                                                    Function 00007FF84897AAE8 Relevance: .4, Instructions: 409COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f8fa693b74ab0676d566f6f1bd56a59becc31e8f216311dad9e8b105df57cd23
                                                                                                                    • Instruction ID: b986f47f02fa1d6343e2eb97413db7f3ab6410b30ee015a7913e9868a6ea937b
                                                                                                                    • Opcode Fuzzy Hash: f8fa693b74ab0676d566f6f1bd56a59becc31e8f216311dad9e8b105df57cd23
                                                                                                                    • Instruction Fuzzy Hash: A2C1F221A1DE8A8FEB95EB2C845D7787BD1EF59741F0900BAD40DCB2A7DF18AC068345
                                                                                                                    Function 00007FF848973466 Relevance: .4, Instructions: 399COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9631d860c66fe9e2b8050325281fdd5d251a94a7df511342637da34f6f20dbdd
                                                                                                                    • Instruction ID: 9b32c8659ad4ed4e0fb43d5c2210230ac9d8c5a263915ebbc34a62ff793b2a91
                                                                                                                    • Opcode Fuzzy Hash: 9631d860c66fe9e2b8050325281fdd5d251a94a7df511342637da34f6f20dbdd
                                                                                                                    • Instruction Fuzzy Hash: 8EE1B0B0E1D94D9FEB94EB2C88596B8BBF1FF55391F5400B6D00CDB2A2DE242C428B55
                                                                                                                    Function 00007FF8489833B8 Relevance: .4, Instructions: 368COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7160513deb5124acb5991dc6ad94d4d5818f2c5e2a4591fd0aa154939feadd2e
                                                                                                                    • Instruction ID: 2816e39fd3d345155371c0906e9bd29aef20f8319db8a8dfceed00e7752847db
                                                                                                                    • Opcode Fuzzy Hash: 7160513deb5124acb5991dc6ad94d4d5818f2c5e2a4591fd0aa154939feadd2e
                                                                                                                    • Instruction Fuzzy Hash: DEC1F122E0EAC64FE742BB7CA8591F93FA0FF56255F0905B7C048CB1A7DA2D98058385
                                                                                                                    Function 00007FF8489833D7 Relevance: .4, Instructions: 358COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6eb37ec8f3ffa39f36c2335a6c43099704e50d15763804d87111ede735babb8b
                                                                                                                    • Instruction ID: ffc71dd25bfc79b91a7d1d045b80be26ee97e81c9a669df4cb51b933796a71b0
                                                                                                                    • Opcode Fuzzy Hash: 6eb37ec8f3ffa39f36c2335a6c43099704e50d15763804d87111ede735babb8b
                                                                                                                    • Instruction Fuzzy Hash: 66C1E422E0EAC64FE742BB7CA8591F97FA0FF56255F0905B7C048CB1A7DA2D98058385
                                                                                                                    Function 00007FF84898E36A Relevance: .4, Instructions: 356COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ff713dce7e659dde953f9519a1270f41027885d9f95acf0db7d69c9fb638c295
                                                                                                                    • Instruction ID: 278b1867e733ba18679c26ba0bb9e843618a05ed73bd9deb33f3b25de5401517
                                                                                                                    • Opcode Fuzzy Hash: ff713dce7e659dde953f9519a1270f41027885d9f95acf0db7d69c9fb638c295
                                                                                                                    • Instruction Fuzzy Hash: AF41E461A0EFD71FE756F62C68A95A93FE0EF52255F0802F7D488CB097DA0868098365
                                                                                                                    Function 00007FF84898C990 Relevance: .4, Instructions: 353COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e0d6e2f67968662e148564268241185267e1cccad82f3d7c79a5643023eaabb6
                                                                                                                    • Instruction ID: 6e657c88cf59cf1db756cc2d572d44f419db44ca1b088877cc75b07668ea9cdc
                                                                                                                    • Opcode Fuzzy Hash: e0d6e2f67968662e148564268241185267e1cccad82f3d7c79a5643023eaabb6
                                                                                                                    • Instruction Fuzzy Hash: 51A1E771A1CE488FEB58EB1CA8496B87BD1FF99755F04017EE04AC3292DB25B881C785
                                                                                                                    Function 00007FF84897B900 Relevance: .3, Instructions: 348COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 256b06808ecf0547f6db3ac71ff4e1e5ea5798c73c4d4f8f7e42bb64ff1eb9d6
                                                                                                                    • Instruction ID: 6359c19fbac7be0570600e0fb67ddc0c0af5bcdbd18e29443362b789272e1f80
                                                                                                                    • Opcode Fuzzy Hash: 256b06808ecf0547f6db3ac71ff4e1e5ea5798c73c4d4f8f7e42bb64ff1eb9d6
                                                                                                                    • Instruction Fuzzy Hash: AAA13731A0CE494FEB98FB6C98496B57BE1FF89355F0441FAC04EC7297DA29A846C341
                                                                                                                    Function 00007FF84898F245 Relevance: .3, Instructions: 344COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e81180bc9f47f13e84c1242998d4b57f7d1e2584c82da4ea1da0128192332cd9
                                                                                                                    • Instruction ID: a72ded66b6e8c7d4eeb2ae3fc6a26ff870571b111121a71653a5d90d65fef802
                                                                                                                    • Opcode Fuzzy Hash: e81180bc9f47f13e84c1242998d4b57f7d1e2584c82da4ea1da0128192332cd9
                                                                                                                    • Instruction Fuzzy Hash: ADA13931A2CE874FEB54EA2C94195B87BD1EF99392F0405BBC44CC7692DE18AC468385
                                                                                                                    Function 00007FF8489786DA Relevance: .3, Instructions: 344COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a9f18cbbd7a178e9440b3b62e352693b2d492fe04b577158c7000e713b915474
                                                                                                                    • Instruction ID: f65e216c507760af71cc8916b4c6041c782108d2a2e9861c3841ce7053950237
                                                                                                                    • Opcode Fuzzy Hash: a9f18cbbd7a178e9440b3b62e352693b2d492fe04b577158c7000e713b915474
                                                                                                                    • Instruction Fuzzy Hash: 66B1E130D0DA59CFE7A4AB6888497F8BBE1EF46391F0401BAC04DE7192DB381847CB59
                                                                                                                    Function 00007FF848983BF8 Relevance: .3, Instructions: 331COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ebc9a6f61cd35122c03100f6f51979234d88e94662fa7f122f85e70e77dc9306
                                                                                                                    • Instruction ID: 2f82d6d675b10d28bfdc0a0b82158f42a291b52b1f5bd7e0e1842fb78e0b0ce3
                                                                                                                    • Opcode Fuzzy Hash: ebc9a6f61cd35122c03100f6f51979234d88e94662fa7f122f85e70e77dc9306
                                                                                                                    • Instruction Fuzzy Hash: 4EA1043062CE0A8FDB99EB2CC484A717BE1FF55351B1405BDD08EC71A6DA25F846C784
                                                                                                                    Function 00007FF84899639B Relevance: .3, Instructions: 329COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8d38de7d65c38f5bec07a74a5ff8f591be85876e80b19e86c22a43d7b45cf977
                                                                                                                    • Instruction ID: 24179bde01d0c2a3a5dd3f970efaa7bd991db4014be9b4b95e62b082acab5dfe
                                                                                                                    • Opcode Fuzzy Hash: 8d38de7d65c38f5bec07a74a5ff8f591be85876e80b19e86c22a43d7b45cf977
                                                                                                                    • Instruction Fuzzy Hash: 8DB1B33091CA428FE72DAB58D099679BBE0FF45749F10447DE4CFC3692CB28B8468796
                                                                                                                    Function 00007FF84897DE79 Relevance: .3, Instructions: 329COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ab03907d3cc821a8560b18e8bb71f0c7e4f74c8384ec74b68427c204a259213f
                                                                                                                    • Instruction ID: 4aebf45c13102e5e1ea23a4da233d50cb1ce6d7b569222044acf41a3831f7ef5
                                                                                                                    • Opcode Fuzzy Hash: ab03907d3cc821a8560b18e8bb71f0c7e4f74c8384ec74b68427c204a259213f
                                                                                                                    • Instruction Fuzzy Hash: CA91E631E1CE4A8FE758AA2C98495797BE1EFA5B51B04017EE04EC3297DE24EC438746
                                                                                                                    Function 00007FF84897CCC0 Relevance: .3, Instructions: 328COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ae2e19c7a45df83abad2af6b063c98cedb2b8a3dd7cf1fe15e485282b7c9b08d
                                                                                                                    • Instruction ID: 3ee3c1475b75fd9982a28b121908a8d3491dcea762e71620d924c2ecca86f34c
                                                                                                                    • Opcode Fuzzy Hash: ae2e19c7a45df83abad2af6b063c98cedb2b8a3dd7cf1fe15e485282b7c9b08d
                                                                                                                    • Instruction Fuzzy Hash: 56B1D271E1C94A9FE794FBA894597FCBBE1FF58750F1401BAD00DD328ADE2868428B41
                                                                                                                    Function 00007FF8489773E1 Relevance: .3, Instructions: 321COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 39c29a2f05eda284605f6b13161c178fd23131eb349d6da7f70296e3e0fd63bd
                                                                                                                    • Instruction ID: 98c59aeb1e59157665d77e03144bc42e94e87ef2322f74e12f1d47e406b802f6
                                                                                                                    • Opcode Fuzzy Hash: 39c29a2f05eda284605f6b13161c178fd23131eb349d6da7f70296e3e0fd63bd
                                                                                                                    • Instruction Fuzzy Hash: BBC10570D08A1DDFDB98EB58C498BADBBB2FF59341F1441A9D00DE7296CB34A981CB44
                                                                                                                    Function 00007FF848985B70 Relevance: .3, Instructions: 317COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f5081cb8627010df9d0d1166cf35c1829e2b26156fefabe0057f892638067fab
                                                                                                                    • Instruction ID: 33f4d4b366ed5b6d8cb8d7c3573011948efc79f698800c6ed1d907471bd88403
                                                                                                                    • Opcode Fuzzy Hash: f5081cb8627010df9d0d1166cf35c1829e2b26156fefabe0057f892638067fab
                                                                                                                    • Instruction Fuzzy Hash: FD711522F2EC5B8FF2E5B72C282D2745BC1EBA86D2F200177C44DC7295DE189C0E0655
                                                                                                                    Function 00007FF8489763B4 Relevance: .3, Instructions: 312COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1ad993e14bf72b3be9ea7fe3091ff754ab2957de6021e5c178da09470152af6d
                                                                                                                    • Instruction ID: ddc0f6e27ae01b6f6850780bf3011231f841038ecab4195e9abaa7a4d0109d68
                                                                                                                    • Opcode Fuzzy Hash: 1ad993e14bf72b3be9ea7fe3091ff754ab2957de6021e5c178da09470152af6d
                                                                                                                    • Instruction Fuzzy Hash: F3B10870D0CA5DCFEB99EB1884587B9BBB1EF59341F5441BAD00DE7282CB346986CB44
                                                                                                                    Function 00007FF84898DD50 Relevance: .3, Instructions: 310COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 647e5b601bff76983405b3f72adea3fd090c8211217983d17dff7021a92c8874
                                                                                                                    • Instruction ID: 4694bac4681c8db8d985087a869c95b5b3040b05c564e26eeda65b0907eb83d6
                                                                                                                    • Opcode Fuzzy Hash: 647e5b601bff76983405b3f72adea3fd090c8211217983d17dff7021a92c8874
                                                                                                                    • Instruction Fuzzy Hash: 02812631B2CD1A0FEAA8FB1CA4497B937D1EF987A1F0901B6D40DC7296DE189C424385
                                                                                                                    Function 00007FF848983C20 Relevance: .3, Instructions: 298COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 074af8f9c172a83a6d382f966b35cafb0c9c57e52b3bed89aba2020ae5d2fdb4
                                                                                                                    • Instruction ID: 25465c725bbd01b5ebb1d9b21329bfe2f4e000add5d58070b29597fcb97a166c
                                                                                                                    • Opcode Fuzzy Hash: 074af8f9c172a83a6d382f966b35cafb0c9c57e52b3bed89aba2020ae5d2fdb4
                                                                                                                    • Instruction Fuzzy Hash: 84913430A2CF4A4FD758EF2894885B67BE0EF95351F14067ED48AC3292DF29F8428745
                                                                                                                    Function 00007FF84897D469 Relevance: .3, Instructions: 290COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1461bc257aa6f15457a88846ff75294ada5ad35322bb71edd08cc98b9ccf62de
                                                                                                                    • Instruction ID: 503b6ee7e6f6e8813fdd8a430c0b9cd6744b33db70048bead2033fb47ca368eb
                                                                                                                    • Opcode Fuzzy Hash: 1461bc257aa6f15457a88846ff75294ada5ad35322bb71edd08cc98b9ccf62de
                                                                                                                    • Instruction Fuzzy Hash: C1918571E0C9499FEB84FBA898597BCBBB1FF59750F1401BAD00DD3286DE2868528B41
                                                                                                                    Function 00007FF848977DC8 Relevance: .3, Instructions: 278COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3ee3ce9c727b0427b022540b9fbd2a5ed3750c7160017dcec852cd6a52b27f94
                                                                                                                    • Instruction ID: e595685f2c675e3c5b56164df30ce184e6169fb53ca8dd7683d1a2831b034302
                                                                                                                    • Opcode Fuzzy Hash: 3ee3ce9c727b0427b022540b9fbd2a5ed3750c7160017dcec852cd6a52b27f94
                                                                                                                    • Instruction Fuzzy Hash: CC918F71D1DD8E9FE794EF6898596BDBBE1FF55741F000579D009E3182DF2468028B44
                                                                                                                    Function 00007FF84898C4C8 Relevance: .3, Instructions: 274COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 75b782afbbc598ff531ac0163714b2a523f2be6b69194ca1d83b239fe84046c1
                                                                                                                    • Instruction ID: f3529dd45ec184bae378da952bf3849959de491bfe4af9227167c60354bcfaaa
                                                                                                                    • Opcode Fuzzy Hash: 75b782afbbc598ff531ac0163714b2a523f2be6b69194ca1d83b239fe84046c1
                                                                                                                    • Instruction Fuzzy Hash: 56610323B1DD2B2EE650756DB44A1FD2B80EF857BAF050237D148CA183DF1D388A4299
                                                                                                                    Function 00007FF84897EA20 Relevance: .3, Instructions: 270COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8acb46abd7637b01b324b0794c60bdafbdb62cfdf50f8399886a4a50e26e0ea5
                                                                                                                    • Instruction ID: 69958879ec94caf288a130eddf6c33dcd02d7601ba8af975daf5992ba45e3f2b
                                                                                                                    • Opcode Fuzzy Hash: 8acb46abd7637b01b324b0794c60bdafbdb62cfdf50f8399886a4a50e26e0ea5
                                                                                                                    • Instruction Fuzzy Hash: 9F715521E0EECA2FF3A6B62C58182756FE1EF66699F1901FBC099C72D3DD185C068345
                                                                                                                    Function 00007FF84897CCC7 Relevance: .3, Instructions: 267COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 73325bde659e45c9bd1efc820a1ca79af2242cc5c0df61b2946761cf658d3414
                                                                                                                    • Instruction ID: 7eefa8b719579729c36938c193d90ac6ff1fe079a30200508825cf76dda1387d
                                                                                                                    • Opcode Fuzzy Hash: 73325bde659e45c9bd1efc820a1ca79af2242cc5c0df61b2946761cf658d3414
                                                                                                                    • Instruction Fuzzy Hash: 1771F331F1CD1A8FE764BA6DA4095BC7BD0EF997A6F05017AD04EC7192CE18AC428389
                                                                                                                    Function 00007FF84898CA28 Relevance: .3, Instructions: 261COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d1d8c9af122333241cc3f71bea3b46e8b32e9b2e657e8821a3818f4edf9a2d42
                                                                                                                    • Instruction ID: 8dcb0054c4e202c7a9201ab921805630b63c1a78bd3d9719ffb84ae73d124c7a
                                                                                                                    • Opcode Fuzzy Hash: d1d8c9af122333241cc3f71bea3b46e8b32e9b2e657e8821a3818f4edf9a2d42
                                                                                                                    • Instruction Fuzzy Hash: 0B714631A0DE495FE7A8EB2C98497B57BD0FF99355F0404BAD04EC3292DF28A845C346
                                                                                                                    Function 00007FF848975D3F Relevance: .3, Instructions: 260COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 264fcc2dcf31d564ec617b6fb640db43e12ec10eb6576c7a432f4c8a3315000e
                                                                                                                    • Instruction ID: 8c0d94c0fc045e3900665c79012d2e747750605fe501385b542a6d5c8050c0b3
                                                                                                                    • Opcode Fuzzy Hash: 264fcc2dcf31d564ec617b6fb640db43e12ec10eb6576c7a432f4c8a3315000e
                                                                                                                    • Instruction Fuzzy Hash: E9917B70E18A4DDFEB84EF58C4896ACBBF1FF65741F50417AD409D7286CA34A882CB44
                                                                                                                    Function 00007FF848989C20 Relevance: .3, Instructions: 258COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1f292cea7ddca7c8ba67b4b1ee70c27815b831c68300c1ab270964f3657bef9a
                                                                                                                    • Instruction ID: 2dc2dcbf912cc6fe233f55925712f6315c08f3f409f2bd934e848a54d1b93b06
                                                                                                                    • Opcode Fuzzy Hash: 1f292cea7ddca7c8ba67b4b1ee70c27815b831c68300c1ab270964f3657bef9a
                                                                                                                    • Instruction Fuzzy Hash: 9071E631A2CE4A8FE76AEA2C845C2757BD1FF59352F1404BED04EC3692DE29BC418749
                                                                                                                    Function 00007FF848974610 Relevance: .3, Instructions: 257COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ed5cdb57adde7f5e245577ff9457e71c70e752de23534b85f236ed07346095ad
                                                                                                                    • Instruction ID: 0b9e0451a3c0d9c929466d6d069a9bb615f4b43ad8bb66bab88018b7dd61f4d7
                                                                                                                    • Opcode Fuzzy Hash: ed5cdb57adde7f5e245577ff9457e71c70e752de23534b85f236ed07346095ad
                                                                                                                    • Instruction Fuzzy Hash: 80916E70918A8E8FDB84EF68C848BE9BBE1FF58341F540279D40DD7296DB34A856CB40
                                                                                                                    Function 00007FF8489982D3 Relevance: .3, Instructions: 251COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ae2c267bf12ef0cb0b76b1aff3bcf7c0619ea6d368cf5605fb3d321c67610706
                                                                                                                    • Instruction ID: e42696946e075fa30139f8642cfc55aa9c35ef32da2c884a2c0708e1270f64e9
                                                                                                                    • Opcode Fuzzy Hash: ae2c267bf12ef0cb0b76b1aff3bcf7c0619ea6d368cf5605fb3d321c67610706
                                                                                                                    • Instruction Fuzzy Hash: 22912C30A1CD498FDB98EB18C859BA87BE2FF58349F1401BDE44DE7392CB34A8419B45
                                                                                                                    Function 00007FF84898CDF8 Relevance: .2, Instructions: 249COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 25683d5511231827127bc0b3dab4be9d1885a5144743ec54681af362e11baf09
                                                                                                                    • Instruction ID: 8d2292ec329466a314e09f0e4c0f338ebe8287562367a8f9a35248335e4b6543
                                                                                                                    • Opcode Fuzzy Hash: 25683d5511231827127bc0b3dab4be9d1885a5144743ec54681af362e11baf09
                                                                                                                    • Instruction Fuzzy Hash: F471243090CF454FE76AEB28C8896B5BBD0EF9534AF14457EC04AC7392DF28A8468785
                                                                                                                    Function 00007FF84899830F Relevance: .2, Instructions: 238COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: db62f2d5551a53ff182e96af7c05e55864107635cffed649145d65b111c3d8f4
                                                                                                                    • Instruction ID: 0a6bffefd091fa236e868caf05b70fcabe5e3d9b9011356be7b543ca39521b4e
                                                                                                                    • Opcode Fuzzy Hash: db62f2d5551a53ff182e96af7c05e55864107635cffed649145d65b111c3d8f4
                                                                                                                    • Instruction Fuzzy Hash: 7A814030A1CD4A8FEB98EB18C8596A87BE1FF58389F1501BDD44DE7392CB34E8419B45
                                                                                                                    Function 00007FF848992C95 Relevance: .2, Instructions: 236COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2134d744b978f2a496ac478bc06f0b900c5a7d327ae22465f223852792932f77
                                                                                                                    • Instruction ID: 058c69b4f7e561d143ab1be2eb7b526f4e6975a39dac466da70d98048e53f340
                                                                                                                    • Opcode Fuzzy Hash: 2134d744b978f2a496ac478bc06f0b900c5a7d327ae22465f223852792932f77
                                                                                                                    • Instruction Fuzzy Hash: A0619931A0DE4B0FE75CAA6C9849175BBE0EF65395F0401BED44AC7687EE28BC468384
                                                                                                                    Function 00007FF848978D32 Relevance: .2, Instructions: 231COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f74cf9bc74cbf90496ea097854046940873bc9e81e9aa0f1d61ecd5dbd01c9dd
                                                                                                                    • Instruction ID: 126bf038a52a607d9b37952fff8a760473c74626a7f80f42ee91777e37f4f073
                                                                                                                    • Opcode Fuzzy Hash: f74cf9bc74cbf90496ea097854046940873bc9e81e9aa0f1d61ecd5dbd01c9dd
                                                                                                                    • Instruction Fuzzy Hash: 3E719C70D0CA4D9FDB85EB68C858AA9BBF1FF5A341F1401BAD00DE7292CB395842CB54
                                                                                                                    Function 00007FF84898DC05 Relevance: .2, Instructions: 227COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cadc99fb3487cdaf3c936e9b002859ecee82a577fb8b37eb42a1c751294be9fb
                                                                                                                    • Instruction ID: 36c831cfc9f31161c8e2b7b8d5db7da95b9bc6fb8b058bbecfa0442faeb2f4ed
                                                                                                                    • Opcode Fuzzy Hash: cadc99fb3487cdaf3c936e9b002859ecee82a577fb8b37eb42a1c751294be9fb
                                                                                                                    • Instruction Fuzzy Hash: B051F522B2CD1A0FE7D4AB2C985D7BA7BD1EF95691F0801BAD84DC7292DE189C424345
                                                                                                                    Function 00007FF848978A55 Relevance: .2, Instructions: 226COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5c1ad05e28643210969d3c28e69bf83f4d3c750b566c208c32d984eb16c9112c
                                                                                                                    • Instruction ID: a6afad35948a045667ad6cc890e30cd7cc7aa34e7aafb7e8a9a0b7667b6667ce
                                                                                                                    • Opcode Fuzzy Hash: 5c1ad05e28643210969d3c28e69bf83f4d3c750b566c208c32d984eb16c9112c
                                                                                                                    • Instruction Fuzzy Hash: D771C170D0DA4D9FEB54AB6898196F9BFB0EF55392F14007AC008E7692CB386882C758
                                                                                                                    Function 00007FF848974667 Relevance: .2, Instructions: 220COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 596816c5fae079d37cdca568631106b1dad795d90f5342d262b3b11c6b573a74
                                                                                                                    • Instruction ID: 06462d78944483ead14279845f988baf6bbdc36624071b36757b8e0acb58cf5b
                                                                                                                    • Opcode Fuzzy Hash: 596816c5fae079d37cdca568631106b1dad795d90f5342d262b3b11c6b573a74
                                                                                                                    • Instruction Fuzzy Hash: A8810B7091894E8FEB84EF58C885AEDBBF1FF68341F504275D40DD7296DB34A8568B40
                                                                                                                    Function 00007FF848975B6A Relevance: .2, Instructions: 198COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 10bc25e733ff7b028a2054809f00e4d682ea2298cf6f50d843be5afb947f47ae
                                                                                                                    • Instruction ID: 98f260cc36b9354491492ab4e6722134bf3b72f98d6d7cfde9fdb03f375b5aed
                                                                                                                    • Opcode Fuzzy Hash: 10bc25e733ff7b028a2054809f00e4d682ea2298cf6f50d843be5afb947f47ae
                                                                                                                    • Instruction Fuzzy Hash: B861F47094EA898FEB86DB68CC547A87FF1FF56340F2941EAD008D7192CA385D86CB50
                                                                                                                    Function 00007FF8489915F9 Relevance: .2, Instructions: 191COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0a2e84aced65ae8d3a80f94be284f8cd87d84cfb92e8b08187bab563e6a879a7
                                                                                                                    • Instruction ID: 83bebe48a35e37044348441883ce36b4d5c1793acf913893cc0a8aa44c900a26
                                                                                                                    • Opcode Fuzzy Hash: 0a2e84aced65ae8d3a80f94be284f8cd87d84cfb92e8b08187bab563e6a879a7
                                                                                                                    • Instruction Fuzzy Hash: B051F730A1CE594FDB95FB2C90596B97BD1FF58781F1401ABF48AC3297CE28E8428385
                                                                                                                    Function 00007FF8489955EE Relevance: .2, Instructions: 190COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6fe86fd688aaa9b9d0a7dba89c3bb798fa4c3e9b8ddc8a2e7347c21b48dbf227
                                                                                                                    • Instruction ID: f5a02fb6b72b8de887ab315f6cdb2f3cb54b2c4ff9145f84014805cd1f868e7e
                                                                                                                    • Opcode Fuzzy Hash: 6fe86fd688aaa9b9d0a7dba89c3bb798fa4c3e9b8ddc8a2e7347c21b48dbf227
                                                                                                                    • Instruction Fuzzy Hash: E151E931E1CE4A8FFB98BB2894592B97FD1FF94795F4401B9D40DC32C3DE29A8418689
                                                                                                                    Function 00007FF84898A1A2 Relevance: .2, Instructions: 188COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9bdb2ba9bfa887c57bd33e9be086c52816032208f09de084793c5327f0686ef9
                                                                                                                    • Instruction ID: b3b2d59626e241ebecaa4d3efaee2a819186706447aa16009f6635c73e9602ae
                                                                                                                    • Opcode Fuzzy Hash: 9bdb2ba9bfa887c57bd33e9be086c52816032208f09de084793c5327f0686ef9
                                                                                                                    • Instruction Fuzzy Hash: A7515F72A0DE865FE365DB1CAC59AB53FE0EF52361F0801B7D089CB1A3DA15AC478346
                                                                                                                    Function 00007FF848984BF0 Relevance: .2, Instructions: 184COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a674b38af0984a2c9dcbbc49856a6d078ddf9623ed923e0a122101e72da4fe92
                                                                                                                    • Instruction ID: 16328e01cc13fefe3beae86556b6ef335008919b58708a45d501e1ac20af7f1b
                                                                                                                    • Opcode Fuzzy Hash: a674b38af0984a2c9dcbbc49856a6d078ddf9623ed923e0a122101e72da4fe92
                                                                                                                    • Instruction Fuzzy Hash: 93512831B1CD4A4FE7A9E72C84587B97BE1EF94781F0840BAD04EC3292DF18AC028744
                                                                                                                    Function 00007FF84897ADFA Relevance: .2, Instructions: 181COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 652b0cdede0116161e60ce0731da4f60285603f47367c436bb92a9937e0e22e6
                                                                                                                    • Instruction ID: 0bb9df2ffa2b88b17a78769381cd5aa8d1aafe487d51e2f0ce02f3ea023cd850
                                                                                                                    • Opcode Fuzzy Hash: 652b0cdede0116161e60ce0731da4f60285603f47367c436bb92a9937e0e22e6
                                                                                                                    • Instruction Fuzzy Hash: 2041E426B1CD4A8FE798FB2CA4592B977D1FF98691B44017AD04DC7286EE19EC438341
                                                                                                                    Function 00007FF8489705A0 Relevance: .2, Instructions: 180COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 432bc1746e102074cfca31c095388f1968acaa95371adc439f605fcf8eabc08e
                                                                                                                    • Instruction ID: b06828cba3aa29969cc3cded6238da4ba6a64dfc12adf90d0153569c37671357
                                                                                                                    • Opcode Fuzzy Hash: 432bc1746e102074cfca31c095388f1968acaa95371adc439f605fcf8eabc08e
                                                                                                                    • Instruction Fuzzy Hash: 4E515770E1CA1DCFEB58EB98D8496FDBBA1FF58341F90013AD009E3281DB3868429B44
                                                                                                                    Function 00007FF848978AA5 Relevance: .2, Instructions: 177COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 04997bd1a8ea9cd6ebc13440c39f2146253070ca05937187fc3054a396581f39
                                                                                                                    • Instruction ID: 20ba62051edd4ecb00a2cd9f9717959235b18cd4a617eafddc3be3ec411f5bdc
                                                                                                                    • Opcode Fuzzy Hash: 04997bd1a8ea9cd6ebc13440c39f2146253070ca05937187fc3054a396581f39
                                                                                                                    • Instruction Fuzzy Hash: 6251D3B0D0DA8D9FEB55EB6888196E97FB0EF55351F1800BAD008E7592CB381846C759
                                                                                                                    Function 00007FF848983C30 Relevance: .2, Instructions: 172COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 358af41aefe7c33dcf3693758c171ac5294373e701df42a9f51e086acb5ac686
                                                                                                                    • Instruction ID: b978414bffa16e4f7b150802970cfecf8786372c14acebe4983c2331efe7706a
                                                                                                                    • Opcode Fuzzy Hash: 358af41aefe7c33dcf3693758c171ac5294373e701df42a9f51e086acb5ac686
                                                                                                                    • Instruction Fuzzy Hash: 2641C230628E0B8FD798AF18D888A617BE0FF58341B54067DD44EC7256DA39F886C785
                                                                                                                    Function 00007FF84898ABB9 Relevance: .2, Instructions: 170COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d37f6a4c133be6466f38aeeae0c1746b094b7ebf0154dbfcc77c654c77dd75a1
                                                                                                                    • Instruction ID: 35c9cf6cb0e76031f85cea0be7dcd77140e6a6d8f1bd3193881cd15080aa5e23
                                                                                                                    • Opcode Fuzzy Hash: d37f6a4c133be6466f38aeeae0c1746b094b7ebf0154dbfcc77c654c77dd75a1
                                                                                                                    • Instruction Fuzzy Hash: A8512770D19A1D8FDB58EFA8C4956EDBBF1FF19301F10006AD009E7292DB39A981CB45
                                                                                                                    Function 00007FF84897CD7D Relevance: .2, Instructions: 167COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: eb6d44376ca1700b9f98d81e59d5e260b23993fabd81223e8f43b2430b9d0945
                                                                                                                    • Instruction ID: 3cb890e6623c4d7633267a6fcc80f2bd9a8ed3afdf62a108cf28447f3a8fd441
                                                                                                                    • Opcode Fuzzy Hash: eb6d44376ca1700b9f98d81e59d5e260b23993fabd81223e8f43b2430b9d0945
                                                                                                                    • Instruction Fuzzy Hash: 0B41B532B1CD2ACFE758BA1DA4091BC7BD1EF997A2B05417AD149C7186CF24AC0786C4
                                                                                                                    Function 00007FF84897F5C4 Relevance: .2, Instructions: 162COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 12137e52a2e13f1cbaaba744698a88795a7f9a8db791c2ea5d160a6f203a230e
                                                                                                                    • Instruction ID: fdf2ad56a0813768eb241eae3e29cc3866281a98cdb1872f27ac3b1d82ad65ec
                                                                                                                    • Opcode Fuzzy Hash: 12137e52a2e13f1cbaaba744698a88795a7f9a8db791c2ea5d160a6f203a230e
                                                                                                                    • Instruction Fuzzy Hash: A3514F71E1895E8FE798EB58D89D7E8B7E1FB58781F0001F5D40DE3296DE345D828A40
                                                                                                                    Function 00007FF848995CBD Relevance: .2, Instructions: 161COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b5a5ecebad62e0cbee73a459645256a30fa408646f6d4e237dd88bfda64e8298
                                                                                                                    • Instruction ID: 844d25010df65e43378451739ad1760ad72816a15149953a59c67f41b7c53d3a
                                                                                                                    • Opcode Fuzzy Hash: b5a5ecebad62e0cbee73a459645256a30fa408646f6d4e237dd88bfda64e8298
                                                                                                                    • Instruction Fuzzy Hash: BE51EF30A1CB458FE75AAB28C4986A67FE1FF55349F1440BEC08BC7292CB29B846C754
                                                                                                                    Function 00007FF8489869AB Relevance: .2, Instructions: 160COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ff3d7f44729801182f01371d2e4a6ba46d1b09c9b66c30437683a37b95d91f33
                                                                                                                    • Instruction ID: db9e0d764f5257103e7f6fdc1478397176b274fd1c6f502472428d470b76959d
                                                                                                                    • Opcode Fuzzy Hash: ff3d7f44729801182f01371d2e4a6ba46d1b09c9b66c30437683a37b95d91f33
                                                                                                                    • Instruction Fuzzy Hash: 0E414432A2CD5A4FE798FE2CA84DAB5BBD1FF54391B1444BAD00DCB292DE25EC018745
                                                                                                                    Function 00007FF8489809C0 Relevance: .2, Instructions: 150COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 56e3ea49d9dd87326368acf9f94b58b824ca1b6465d731c466f3a17ece872076
                                                                                                                    • Instruction ID: 4f90bf886e3ee80dd770d690f8e04bac8398d9ab6861d93e107c282cf90ca6df
                                                                                                                    • Opcode Fuzzy Hash: 56e3ea49d9dd87326368acf9f94b58b824ca1b6465d731c466f3a17ece872076
                                                                                                                    • Instruction Fuzzy Hash: 8841F731B1DD094FE794FB1CA8187B9BBD1FF99751F0401BAE44DC7296DE2A98418381
                                                                                                                    Function 00007FF848985140 Relevance: .1, Instructions: 146COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5e30f1a44db6bdc9383b6187dad42e14f95fe88e94bfecf540721f8fcc55fa60
                                                                                                                    • Instruction ID: 585cd104454a5457a55d2a61a34dfae39f96cbaa6709e227f8fbc3796c79a474
                                                                                                                    • Opcode Fuzzy Hash: 5e30f1a44db6bdc9383b6187dad42e14f95fe88e94bfecf540721f8fcc55fa60
                                                                                                                    • Instruction Fuzzy Hash: 1541603062CE468FEBA5EB2CC054EB67BE1EF55381F1445B9D04AC76A6CE25F845C740
                                                                                                                    Function 00007FF848973C3D Relevance: .1, Instructions: 146COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: feda1f0d69c3a54a01d2cc5d383774c988e246edf497f193c04633f9ff6a0bdc
                                                                                                                    • Instruction ID: a2a54072ef1bd7f7c9f2bc453a9403742d78a08c8f54eae595d60d30c087d326
                                                                                                                    • Opcode Fuzzy Hash: feda1f0d69c3a54a01d2cc5d383774c988e246edf497f193c04633f9ff6a0bdc
                                                                                                                    • Instruction Fuzzy Hash: A941AA70E0CA4D8FEB58EB68D8496EDBBB1FF54341F54017AD409D7282CB386842CB44
                                                                                                                    Function 00007FF848980220 Relevance: .1, Instructions: 143COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 303e9cd53ed1aaab3e549b49588e895928467c7be1c021e4d899c07535e10e2b
                                                                                                                    • Instruction ID: 90e7b3e3d0cd8765283b0f14af9e660693d584bbc0a4c0e8e109a49c53f84c65
                                                                                                                    • Opcode Fuzzy Hash: 303e9cd53ed1aaab3e549b49588e895928467c7be1c021e4d899c07535e10e2b
                                                                                                                    • Instruction Fuzzy Hash: C4412230A2CE4A4FDB98EF58945967A3BE1FFA8751F10017AD40ED3295CF35A8028785
                                                                                                                    Function 00007FF84897EA2D Relevance: .1, Instructions: 143COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 73810fd932ec6cbb82d091703df373c10f3a5e630cbea3d9d1b04aab686466e7
                                                                                                                    • Instruction ID: fe262531a1afa4ccfcb31962f5980ce8914f5453ca3dea3aefca4edfc8fa445f
                                                                                                                    • Opcode Fuzzy Hash: 73810fd932ec6cbb82d091703df373c10f3a5e630cbea3d9d1b04aab686466e7
                                                                                                                    • Instruction Fuzzy Hash: D3410B72E0855A8FE754FB2CE85A5FDBBA0FF41766F0401B7D00DC6193DE2924868785
                                                                                                                    Function 00007FF848977120 Relevance: .1, Instructions: 142COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 82a85744153bc51775a9c4a182811b2e42d411c6da97a4000a4781994103663f
                                                                                                                    • Instruction ID: 8856b05cfa848c42e6602dfa45a646dfd2fd774b18d6469f89a7e05d4032a617
                                                                                                                    • Opcode Fuzzy Hash: 82a85744153bc51775a9c4a182811b2e42d411c6da97a4000a4781994103663f
                                                                                                                    • Instruction Fuzzy Hash: 2331D331F1CD09CFE768EA2CA84D5797BE1EF99756F04017AE00DC3296DE20AC028785
                                                                                                                    Function 00007FF84897BCA5 Relevance: .1, Instructions: 137COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cb454e8b3df97ec1c4f5c20de8a478d4558a4860a01c2fc73e9747f3f33910c1
                                                                                                                    • Instruction ID: e1b59adb918a09420924f9b37cf6dd550f36d0ec1be42ddb8f331352b9337ab4
                                                                                                                    • Opcode Fuzzy Hash: cb454e8b3df97ec1c4f5c20de8a478d4558a4860a01c2fc73e9747f3f33910c1
                                                                                                                    • Instruction Fuzzy Hash: 69413D61E18D0E9EEB84FB9CD8597ECBBA2FF58761F100175D00DE7286DF2868528741
                                                                                                                    Function 00007FF848985138 Relevance: .1, Instructions: 134COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d968c77d829258d04b508a2464ba84deb3abd6b7f70c32ccace7f40b0f0b44d9
                                                                                                                    • Instruction ID: 40f027c20b75967ff4337d972cdf7f63689077c5696482d26e47ce058c8600f8
                                                                                                                    • Opcode Fuzzy Hash: d968c77d829258d04b508a2464ba84deb3abd6b7f70c32ccace7f40b0f0b44d9
                                                                                                                    • Instruction Fuzzy Hash: 0241913062CE4A8FDB95EB2CC054EB67BE1FF59341B1845A9D04EC72A6CE24F845CB40
                                                                                                                    Function 00007FF84898AD8F Relevance: .1, Instructions: 133COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bfccabab682859dfcc8dc14765a57df885b8c080b38a66b2fe0db34d83d1fe79
                                                                                                                    • Instruction ID: 2fb924322fb6efaa60a8edbd6e7213624d717ceef4b6750618c9ef53c88bcc0c
                                                                                                                    • Opcode Fuzzy Hash: bfccabab682859dfcc8dc14765a57df885b8c080b38a66b2fe0db34d83d1fe79
                                                                                                                    • Instruction Fuzzy Hash: 3E419D70D1DA5A8FEB85EFA8D4586EDBBF1EF59311F04007AD009E7282CB386845CB51
                                                                                                                    Function 00007FF848977170 Relevance: .1, Instructions: 128COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: db04019adae4342929da09c3bfaea461af9aa9e0b91df96b429df82480b5624a
                                                                                                                    • Instruction ID: a8acf9a52d4205631a1b5ee7f46e06069565c9c4d7cc1d713d25a22035c187cf
                                                                                                                    • Opcode Fuzzy Hash: db04019adae4342929da09c3bfaea461af9aa9e0b91df96b429df82480b5624a
                                                                                                                    • Instruction Fuzzy Hash: 68318F31B2CC194FEBA8FA1CA4997B977E1FB98751F040176E40ED7285DE249C064785
                                                                                                                    Function 00007FF84897BCD1 Relevance: .1, Instructions: 127COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 31f35613669c97303caf0997afe6b12c4b82ab31d3fabbee6f96411fc078a12a
                                                                                                                    • Instruction ID: 4077874dbd1614d3a02d6cfbf5a87888e58efbbc5414f4b96fd025d8c2d5dcc8
                                                                                                                    • Opcode Fuzzy Hash: 31f35613669c97303caf0997afe6b12c4b82ab31d3fabbee6f96411fc078a12a
                                                                                                                    • Instruction Fuzzy Hash: DE411971E1890E9FEB84FA9CD85ABECB7A2FF98751F100175D009E7286DF2868528741
                                                                                                                    Function 00007FF8489784D8 Relevance: .1, Instructions: 126COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8ecdd882007fda19f05876ab1c679c4b5b6cfa97017585eaa5c2017e030f03c1
                                                                                                                    • Instruction ID: 0646913aa075874fc834ae5068985f3f560de1042c2497ecb99903e7df45d03d
                                                                                                                    • Opcode Fuzzy Hash: 8ecdd882007fda19f05876ab1c679c4b5b6cfa97017585eaa5c2017e030f03c1
                                                                                                                    • Instruction Fuzzy Hash: A9418D70E0CA4DDFEB54EB58C4496ADBBB1FF59381F5400BAC009E7292CF3868428B59
                                                                                                                    Function 00007FF84897BB05 Relevance: .1, Instructions: 120COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f5e399e64e1b677d15a3b62e6ad0b9522e48a2116fcb4ce8b8e394dfe5d6fa1a
                                                                                                                    • Instruction ID: 66203a26faee6ab5067087dc311d4ad71d843ad02a60f48dcb7d2dafa5cad0a7
                                                                                                                    • Opcode Fuzzy Hash: f5e399e64e1b677d15a3b62e6ad0b9522e48a2116fcb4ce8b8e394dfe5d6fa1a
                                                                                                                    • Instruction Fuzzy Hash: DA411770E0DA8A9FE744EB6888196B9BFA0FF55781F1401B9C50DD71C7DF2828428755
                                                                                                                    Function 00007FF848980258 Relevance: .1, Instructions: 119COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 680092f2d37b205e651943e27ecbb44c8749b750755bf8ab9f40776fe1a622cd
                                                                                                                    • Instruction ID: 464ec2ecca10411e237715c31c95c8663c02c79bbf9260bbdd75c73d8caff1f0
                                                                                                                    • Opcode Fuzzy Hash: 680092f2d37b205e651943e27ecbb44c8749b750755bf8ab9f40776fe1a622cd
                                                                                                                    • Instruction Fuzzy Hash: 12310831B2CE465FE790E6199448676BBD1EFA4365F04057ED44CC32A2CB68E985C389
                                                                                                                    Function 00007FF84897BE30 Relevance: .1, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 529fb37a56aafdf969bd54de188bc8fbbec0cb5da8dc9b2cb9d9345dbf8c4c7e
                                                                                                                    • Instruction ID: 1a95cb3d41ff3069d270e1deba546e6f8e87b6183ebff641ecc219e153df0804
                                                                                                                    • Opcode Fuzzy Hash: 529fb37a56aafdf969bd54de188bc8fbbec0cb5da8dc9b2cb9d9345dbf8c4c7e
                                                                                                                    • Instruction Fuzzy Hash: 2C312B32E1CD4A8FE7A4FA28548D6F57BE1EB64751F04057BC04DC3286DF6958474381
                                                                                                                    Function 00007FF848983628 Relevance: .1, Instructions: 112COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c368b3c63ac99c875d87dab91d08738bf2e45f129c1e645c16c789516dab63a2
                                                                                                                    • Instruction ID: b22964c1938c2fe023a4cf3f83741cc11609c98001535ac426a2fd360fbcd2a4
                                                                                                                    • Opcode Fuzzy Hash: c368b3c63ac99c875d87dab91d08738bf2e45f129c1e645c16c789516dab63a2
                                                                                                                    • Instruction Fuzzy Hash: 77314870E1894E8FEF84EF68C8596BDBBE1FF68341F400529D009E3291DB79A8418B40
                                                                                                                    Function 00007FF848986E69 Relevance: .1, Instructions: 108COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 158044afb637a782895bf89d125b88d240a67863a071426167330116f00914af
                                                                                                                    • Instruction ID: 073b779d91790b3cca7bf50b4e01cdc6a3419c71b82c37410915653e8000b5ec
                                                                                                                    • Opcode Fuzzy Hash: 158044afb637a782895bf89d125b88d240a67863a071426167330116f00914af
                                                                                                                    • Instruction Fuzzy Hash: FB31F43181CF865FE745BB38884D665BBE0FF95350F040ABAD08AC71A2DE28E9418742
                                                                                                                    Function 00007FF8489781AE Relevance: .1, Instructions: 106COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 22aa34c86e360bc00b05322bb902f43634a72febbb7358b94d124a5cd69ec9af
                                                                                                                    • Instruction ID: d85264bf0c2faad4a8850ae2e4bc770c0bc0a7336b10a6537ca226eaa4cb2263
                                                                                                                    • Opcode Fuzzy Hash: 22aa34c86e360bc00b05322bb902f43634a72febbb7358b94d124a5cd69ec9af
                                                                                                                    • Instruction Fuzzy Hash: 8B4119B0D09A1D8EDB98EB68C8647BD7AB1EF54382F5400BAD00DE7292DF381985DB15
                                                                                                                    Function 00007FF848994340 Relevance: .1, Instructions: 105COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f7f35ddcbf49c7780e358b784b0b3810a835ef35249759a52b33b018cfb66e2f
                                                                                                                    • Instruction ID: 7f09ba3f2aaae8b15720db80bbeb33968b8fc4b18a645e94b0c1c4f061095e3d
                                                                                                                    • Opcode Fuzzy Hash: f7f35ddcbf49c7780e358b784b0b3810a835ef35249759a52b33b018cfb66e2f
                                                                                                                    • Instruction Fuzzy Hash: 8631F130A1CE464FE76AE638D488AB57BD1EF54349F14447DC48EC3396EB29B882C785
                                                                                                                    Function 00007FF848982B75 Relevance: .1, Instructions: 104COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 45b2b6686a2ecc7fac5c80939e256f8f9921554132c6ca2c936380f85cc4397f
                                                                                                                    • Instruction ID: 268f96e46f45168774084216195cc22bc18b2d9ab11afcd646555a86aa8fdd8d
                                                                                                                    • Opcode Fuzzy Hash: 45b2b6686a2ecc7fac5c80939e256f8f9921554132c6ca2c936380f85cc4397f
                                                                                                                    • Instruction Fuzzy Hash: 31214D32F0DD550EE2A4E67D7C592B47FC0DFC66A5B0841BBD00DC7296DA1A484183C5
                                                                                                                    Function 00007FF848995411 Relevance: .1, Instructions: 102COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8e6d2f172d33c7733628d7ac12debb564bba68a70f820b106477b5c256487690
                                                                                                                    • Instruction ID: 98b7659d7dbfb23614d127581d4d7114f2587a1c69d8405817c65d0ed4acef16
                                                                                                                    • Opcode Fuzzy Hash: 8e6d2f172d33c7733628d7ac12debb564bba68a70f820b106477b5c256487690
                                                                                                                    • Instruction Fuzzy Hash: 7D214F30A1CE098FDBD4EA4894596BD7BD1FB98756F04017ED04ED3291DB24A8018749
                                                                                                                    Function 00007FF848972E38 Relevance: .1, Instructions: 98COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 143019fa1e57a2762272fd9232dd93e0104d278e4adcf2093106bb2634771945
                                                                                                                    • Instruction ID: 98fdf8a1bdb8ce8c14438d6057bdca8876980dd3b8472891b92e59a94eec8f84
                                                                                                                    • Opcode Fuzzy Hash: 143019fa1e57a2762272fd9232dd93e0104d278e4adcf2093106bb2634771945
                                                                                                                    • Instruction Fuzzy Hash: D331F231D2CE899FEB59BF6898492B9BFE0FF52342F4800BAD40DC7196DB249946C345
                                                                                                                    Function 00007FF848994AE2 Relevance: .1, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ac1f337dd2f97d6d2d892f8581b023a66112a9eec0ed96b0d9e3d893d6ae6699
                                                                                                                    • Instruction ID: c685715b3e55e14c51c778c0b86366470bbea3197ea80ae22f937227da4d860a
                                                                                                                    • Opcode Fuzzy Hash: ac1f337dd2f97d6d2d892f8581b023a66112a9eec0ed96b0d9e3d893d6ae6699
                                                                                                                    • Instruction Fuzzy Hash: EB21C532B1CE094FE769AA1C684A1BD7BC1EBD536AF04027BD14DC3292DF15A8064649
                                                                                                                    Function 00007FF848995B50 Relevance: .1, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4ac28df8097eacb2d4e4d38233c32be001b61aef0a6a3f6393dc6bc601a0e4b1
                                                                                                                    • Instruction ID: 3cc53ebbb9250b700270c232d01694f49cf924a959cca13edc6a458998a2ffae
                                                                                                                    • Opcode Fuzzy Hash: 4ac28df8097eacb2d4e4d38233c32be001b61aef0a6a3f6393dc6bc601a0e4b1
                                                                                                                    • Instruction Fuzzy Hash: 0331D32091EF850FE797A738482D5623FE1EF42255B0940FBC089CB2A7DA19680AC366
                                                                                                                    Function 00007FF848973AA5 Relevance: .1, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d0395f00ef6c65dafd4c7e4b00c1f83ded7fb197fc7443c4c438d7026fdc06fe
                                                                                                                    • Instruction ID: 2e0fd197eb6e9965d1d3d0de19c40c73243d8d203a9f88bf3294bad2d3caa4d8
                                                                                                                    • Opcode Fuzzy Hash: d0395f00ef6c65dafd4c7e4b00c1f83ded7fb197fc7443c4c438d7026fdc06fe
                                                                                                                    • Instruction Fuzzy Hash: C531ADB1E0DA89DFEB45EB6CC4156BDBBB0EF65342F5400B6C008DB292CB38A845C755
                                                                                                                    Function 00007FF848975201 Relevance: .1, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 71ba2aa578d29d8a7fbf7afda39f03f90c27520e2c9b0fee980ca8da64fb6ba0
                                                                                                                    • Instruction ID: c536511ca40be8f276550f7aec58d47a19d2a200084097e809087ea519002328
                                                                                                                    • Opcode Fuzzy Hash: 71ba2aa578d29d8a7fbf7afda39f03f90c27520e2c9b0fee980ca8da64fb6ba0
                                                                                                                    • Instruction Fuzzy Hash: 24214671D08A5D9FDF94EF68D8556EDBBB0FF69341F14006AE408E3292DB24A8418B90
                                                                                                                    Function 00007FF848983EA8 Relevance: .1, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e1d057ffe74cc009e2dd1aee915812db63bdd18b49e910c240eb4587e85fa857
                                                                                                                    • Instruction ID: 83a296c63656ce5a0e0ec4dcc250e9792a2e08732ca0766d99c84d8a93224c4e
                                                                                                                    • Opcode Fuzzy Hash: e1d057ffe74cc009e2dd1aee915812db63bdd18b49e910c240eb4587e85fa857
                                                                                                                    • Instruction Fuzzy Hash: 2511E731B2CE190FE668AA1CB849179B7C1EB9CB65F0002BFE80DC3296DE155C4243C5
                                                                                                                    Function 00007FF848985DCD Relevance: .1, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 066ddb00e52e9231d5ba30cf1ed50749119e2cc4f849eeebd0048491b6d2c469
                                                                                                                    • Instruction ID: 98fa9257c51b6c76335d9b0e35ebefb626ff5ce088eb056038242ef92a75772b
                                                                                                                    • Opcode Fuzzy Hash: 066ddb00e52e9231d5ba30cf1ed50749119e2cc4f849eeebd0048491b6d2c469
                                                                                                                    • Instruction Fuzzy Hash: 61115B32B1CD4A0FF7D9E63C685E2793BD1EB89666B1401BBD40DC3292DE148C074385
                                                                                                                    Function 00007FF84897EAE5 Relevance: .1, Instructions: 89COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7cf7c7086d9951c66a11414adf74dd9c61fff54c5cabd305e93efc9eb8caaa59
                                                                                                                    • Instruction ID: 6806b1c6c3f2c05ce2f73357581e8529c8d4f4dc06c41803dd8a3f56fabca6ec
                                                                                                                    • Opcode Fuzzy Hash: 7cf7c7086d9951c66a11414adf74dd9c61fff54c5cabd305e93efc9eb8caaa59
                                                                                                                    • Instruction Fuzzy Hash: 3F21A271D1CA8ECFE799EB2898592ECBBB1FF45B41F0001BAD00DD3192DE3819868B45
                                                                                                                    Function 00007FF8489789A5 Relevance: .1, Instructions: 87COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ea1f97572590774ba1a9ba30a0b54c195629dabd8ceecdc5925c253f290ddf18
                                                                                                                    • Instruction ID: 728dab9ba91339889436e94a2cb07e97398471419a6dc067005f443bc0226856
                                                                                                                    • Opcode Fuzzy Hash: ea1f97572590774ba1a9ba30a0b54c195629dabd8ceecdc5925c253f290ddf18
                                                                                                                    • Instruction Fuzzy Hash: 1721B230C0CA4ECFEB68BA1494046B8BFA0EF46395F240279D40CE7581DB35A986C75D
                                                                                                                    Function 00007FF84897425B Relevance: .1, Instructions: 84COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6c94132932467e12e389f3d98577fbda3ef41bcf0bbe471d25e5f8d3dd98cac7
                                                                                                                    • Instruction ID: aee3142b15d276e650b3d3d96be12ad04073e6e2a857ceae467aef65ab4454ea
                                                                                                                    • Opcode Fuzzy Hash: 6c94132932467e12e389f3d98577fbda3ef41bcf0bbe471d25e5f8d3dd98cac7
                                                                                                                    • Instruction Fuzzy Hash: AC21AE3188E3C59FD3135B7068165E57F789F03292F0A01E7D088DB4A3C62D55ABC766
                                                                                                                    Function 00007FF84898C3FB Relevance: .1, Instructions: 84COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8f99d3cbc22b89389579173a0d47a36c125b410d1f7a44039411f6e991a3c21a
                                                                                                                    • Instruction ID: 48af89e6e9dc0e1a4fd3879f860e74310ce638ff2169229747047a3f046979f9
                                                                                                                    • Opcode Fuzzy Hash: 8f99d3cbc22b89389579173a0d47a36c125b410d1f7a44039411f6e991a3c21a
                                                                                                                    • Instruction Fuzzy Hash: 1221F836A095646DD701BBADF8818EC77D0EF42379F0943B6C18CCA053EA1C649546D5
                                                                                                                    Function 00007FF848975220 Relevance: .1, Instructions: 82COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 38121d269271e5f6c62557862c15b2dcc176d57ac83dca12b889918f819121d2
                                                                                                                    • Instruction ID: 536b25c4a9f016f99b2b57be79666eb59d0129e250b3a989c38066b51e32d58c
                                                                                                                    • Opcode Fuzzy Hash: 38121d269271e5f6c62557862c15b2dcc176d57ac83dca12b889918f819121d2
                                                                                                                    • Instruction Fuzzy Hash: 7B213770D08A5D9FDF84EFA8D8556EDBBF0FF69341F14006AE409E3291DB34A8418B94
                                                                                                                    Function 00007FF848985E20 Relevance: .1, Instructions: 79COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0de30a79324e2e9fb6adc41299ffbe9b694561dbb3b42f334f04a55a94ef22a3
                                                                                                                    • Instruction ID: 554253239afdba06e47bdcc5b5e12236b60a3c0445e55200b5ddc509afe7bbbf
                                                                                                                    • Opcode Fuzzy Hash: 0de30a79324e2e9fb6adc41299ffbe9b694561dbb3b42f334f04a55a94ef22a3
                                                                                                                    • Instruction Fuzzy Hash: 4E11E932B2CD0B0FEAD8E61C645927967C1DBD82A6B14013FD40EC3299DD55DC474344
                                                                                                                    Function 00007FF84897ADF8 Relevance: .1, Instructions: 79COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b67936897c0adcb7de2d963aae1691bea717205a0fc278be71817b21766a8454
                                                                                                                    • Instruction ID: 9b624e154df13a515f188fc067b8f07bea5a15627eea366805eae97cd471e062
                                                                                                                    • Opcode Fuzzy Hash: b67936897c0adcb7de2d963aae1691bea717205a0fc278be71817b21766a8454
                                                                                                                    • Instruction Fuzzy Hash: 48112322B2CE4A8FE789FB2C94941F877C1FFA4291B48007AD009C7286DE1DA8828341
                                                                                                                    Function 00007FF848987136 Relevance: .1, Instructions: 76COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4125f47f005e5a56ebbd906ec18918ae75a9d25e3897eade64ec4231dff626ac
                                                                                                                    • Instruction ID: 27266bc5d0be1f15f5171de2f9bd95eb91712b1e4ec9825fdae8ab2aec077228
                                                                                                                    • Opcode Fuzzy Hash: 4125f47f005e5a56ebbd906ec18918ae75a9d25e3897eade64ec4231dff626ac
                                                                                                                    • Instruction Fuzzy Hash: C511B47051CB885FE378AF28840C7A67BE1FB69301F04457ED48DC3252DF3454418742
                                                                                                                    Function 00007FF848985312 Relevance: .1, Instructions: 70COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f4417ce9c08ada9ca5de6d55f2ffba1c826b311f053584808e9d0717fa5a00e9
                                                                                                                    • Instruction ID: 28fd9f107cb9ef08218cce354d42bbc11f1a6372ca9bf099a77928899a22ee1f
                                                                                                                    • Opcode Fuzzy Hash: f4417ce9c08ada9ca5de6d55f2ffba1c826b311f053584808e9d0717fa5a00e9
                                                                                                                    • Instruction Fuzzy Hash: 9B115162B1DE4B9FEAE8EA1CA05827467D1EBA8695B14457BC00DC7185DE64AC0A8340
                                                                                                                    Function 00007FF8489CEDA0 Relevance: .1, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: eacc303e644690926b955fa465e658df4e4032aba990e273bc14d0cee31020be
                                                                                                                    • Instruction ID: 0952ac6d12c209a4acc9aa2db487281a7d8d87a46906230ef3d714875239ac78
                                                                                                                    • Opcode Fuzzy Hash: eacc303e644690926b955fa465e658df4e4032aba990e273bc14d0cee31020be
                                                                                                                    • Instruction Fuzzy Hash: 04114F31A18D1A8FD5A4FA2CC49CA7A3AD1EF88782F510579E04EC7692DF19AC418789
                                                                                                                    Function 00007FF84897A670 Relevance: .1, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 18281c04cd719d83b33fdd906f2550dd6144de11c1fb528e4e8aa67eb4f21cd8
                                                                                                                    • Instruction ID: 3f80082e45bc1fa701788669ebf341e5b6077d9601f4b804d4f5736dec141de4
                                                                                                                    • Opcode Fuzzy Hash: 18281c04cd719d83b33fdd906f2550dd6144de11c1fb528e4e8aa67eb4f21cd8
                                                                                                                    • Instruction Fuzzy Hash: 0E01D631B0CC0D4FD6D4F55CA84977637D1EB98361F40027AE40CC3296EE65D8424385
                                                                                                                    Function 00007FF848988413 Relevance: .1, Instructions: 56COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8c1fb18e79bc5a2e795dbca7fa62c60afb94c4973c5fc003a5ec3420d7070690
                                                                                                                    • Instruction ID: a4add91a99e27263c030cec42b30e2a085968113308c5850b9432b9bc01f3e17
                                                                                                                    • Opcode Fuzzy Hash: 8c1fb18e79bc5a2e795dbca7fa62c60afb94c4973c5fc003a5ec3420d7070690
                                                                                                                    • Instruction Fuzzy Hash: EE01F432B0CC0D8FE6D8FA2CA449A7433D1FF6936130405E6D44DC7356E925EC028744
                                                                                                                    Function 00007FF8489752FD Relevance: .1, Instructions: 55COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 01251b3ff9bde0db4519b0727bfdaa07ac1d15f05b95e9d2d29bfa77e03b94fa
                                                                                                                    • Instruction ID: 3bb4e80f1da147518069fa1f09ea0057266792a6181b5223ebd509645ce09168
                                                                                                                    • Opcode Fuzzy Hash: 01251b3ff9bde0db4519b0727bfdaa07ac1d15f05b95e9d2d29bfa77e03b94fa
                                                                                                                    • Instruction Fuzzy Hash: 7E01267284DACADFE796BB3058560F17FA0EF47391F0900B6E048C60A3DA5D1A4BC395
                                                                                                                    Function 00007FF8489809A9 Relevance: .1, Instructions: 54COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 481557ea54446e9a9ab073b30986ea1aca5479d11c34d7a4fb610ecf34ba5a5b
                                                                                                                    • Instruction ID: 3d9149ed936d299b08589449b9f7ed1572eca3713a86826ab1aa0793721ba292
                                                                                                                    • Opcode Fuzzy Hash: 481557ea54446e9a9ab073b30986ea1aca5479d11c34d7a4fb610ecf34ba5a5b
                                                                                                                    • Instruction Fuzzy Hash: BA01F73151DFC95FD746A23898242617FE1EF97225F0901EBE484CB2E3DA669C05C392
                                                                                                                    Function 00007FF8489879B1 Relevance: .1, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 477851221567ad266201676212d8f7c3dfccaff3fb867e37406e96445dbf3b0d
                                                                                                                    • Instruction ID: cd7b0db1db10c245d2aacca5f0b53cc97a16ccfe254a43dcc769ff125230e1a1
                                                                                                                    • Opcode Fuzzy Hash: 477851221567ad266201676212d8f7c3dfccaff3fb867e37406e96445dbf3b0d
                                                                                                                    • Instruction Fuzzy Hash: 24F0E92271D9885FE794A52DAC5D9723FD4DBAA17271502FFE84CC7173EA029C028355
                                                                                                                    Function 00007FF84898EA8D Relevance: .1, Instructions: 52COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 387d8241134693ec8b096ef1b8142b2dc769a97ea0d3cd6c44056246b0a98acb
                                                                                                                    • Instruction ID: 2fd8dbb7aca855374e6efec1f28c4633479cb2cd10b2f28fdf3f836dc693e106
                                                                                                                    • Opcode Fuzzy Hash: 387d8241134693ec8b096ef1b8142b2dc769a97ea0d3cd6c44056246b0a98acb
                                                                                                                    • Instruction Fuzzy Hash: 2A012621E2CECB0FE75AB73C50682B96FE1EF55652F4800BAC0C9C2187DE0858858341
                                                                                                                    Function 00007FF84898ECED Relevance: .1, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 688ce8efe1d7a5e336b6c3704195cdb7f82ba223f1e8e904d393b344c03a817c
                                                                                                                    • Instruction ID: d86dfef532486638b87f41153d80e669cce6846d0ac562addf695d9e0c17bb9f
                                                                                                                    • Opcode Fuzzy Hash: 688ce8efe1d7a5e336b6c3704195cdb7f82ba223f1e8e904d393b344c03a817c
                                                                                                                    • Instruction Fuzzy Hash: E801F931C1D9CE6FE752EB28985C1BC7FF0EF56241F0902F6D408C70A3DA2919458741
                                                                                                                    Function 00007FF8489991F1 Relevance: .0, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f007d302c75967d69c508e822e9a826ee0224e6833e4f5b23fa77ff5b82fbc33
                                                                                                                    • Instruction ID: 94552e940964f43d41898e46733090eed466132a1295a3a8e87faa222f00b3bb
                                                                                                                    • Opcode Fuzzy Hash: f007d302c75967d69c508e822e9a826ee0224e6833e4f5b23fa77ff5b82fbc33
                                                                                                                    • Instruction Fuzzy Hash: 14F0F95260EAC60FE347A23C681A1B4BF81DB52175F4841FFC188C71A3D809484A436A
                                                                                                                    Function 00007FF848983230 Relevance: .0, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 89273431054d86b5ada2efc75ba88d52be2c4fdd53175ccd89538ba9dd080502
                                                                                                                    • Instruction ID: bbe45ff3b61a3aa926a61ba14cfe39d4ca10d17f75f0da9c04d51320884003f6
                                                                                                                    • Opcode Fuzzy Hash: 89273431054d86b5ada2efc75ba88d52be2c4fdd53175ccd89538ba9dd080502
                                                                                                                    • Instruction Fuzzy Hash: D701CC3091CF098FD794EB288448A6A7BE1EFD8356F040A7EE889C32A0DB34E8408745
                                                                                                                    Function 00007FF84897AE30 Relevance: .0, Instructions: 50COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 15776a1ea1de9437355102305784776f9951c6d75e8459b60402389dde2b10c4
                                                                                                                    • Instruction ID: 1475ef7ef68b1b568831b4ac6478e90610490c134de2a80203213a71700798e8
                                                                                                                    • Opcode Fuzzy Hash: 15776a1ea1de9437355102305784776f9951c6d75e8459b60402389dde2b10c4
                                                                                                                    • Instruction Fuzzy Hash: 3A01D630A28D4B8FDA98FB2C80446BAB3D1FF94340B444579D40DC3185DE29E8828340
                                                                                                                    Function 00007FF848978A22 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 71d0b61c1f93d364e7948bf4680fa8b6d0b720ff51c6e9733205524c6a474156
                                                                                                                    • Instruction ID: 8aab5267515574d72f580287dd8bb78e15b577633e35658e02056a55b8419678
                                                                                                                    • Opcode Fuzzy Hash: 71d0b61c1f93d364e7948bf4680fa8b6d0b720ff51c6e9733205524c6a474156
                                                                                                                    • Instruction Fuzzy Hash: 62F09035D4CA5E8FDB24AE55E4042F9FBB4EB82396F00203AD50CE7140D77A9996DB4C
                                                                                                                    Function 00007FF848974228 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e2a3c1b1f826956e8624659c05e443750916339ce842c8ad8d4f3ac354056d60
                                                                                                                    • Instruction ID: d842a62e01515684dc90ac07ac42f26a34b55390ab5d34bee255510298c10ff5
                                                                                                                    • Opcode Fuzzy Hash: e2a3c1b1f826956e8624659c05e443750916339ce842c8ad8d4f3ac354056d60
                                                                                                                    • Instruction Fuzzy Hash: F7F09035D4891DCFEB20AE95E4443F9FBB4EB82396F00203AD40CE7151D77A99A6CB48
                                                                                                                    Function 00007FF84898D17D Relevance: .0, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2d773ba6e96c199d5f662c9a80372c1596977794bcff16b7c4b01e7c4a6e49ec
                                                                                                                    • Instruction ID: 206756108b1d836b816da88e1297c130e2865b594e2ff81a8f1573b16cc3a52d
                                                                                                                    • Opcode Fuzzy Hash: 2d773ba6e96c199d5f662c9a80372c1596977794bcff16b7c4b01e7c4a6e49ec
                                                                                                                    • Instruction Fuzzy Hash: 9201D100A6EEC61EE357B37818282A16FA1CE43166B0C01EBE0C8CB097DA0C4856C39A
                                                                                                                    Function 00007FF84898C60D Relevance: .0, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 263e77857b134908c99819a71c8bce3818913dffa62723ec0d3e8ce0d582f387
                                                                                                                    • Instruction ID: 0e613a323d6c021dec2357f3140cca7a649e06770684b48b78243175260edf24
                                                                                                                    • Opcode Fuzzy Hash: 263e77857b134908c99819a71c8bce3818913dffa62723ec0d3e8ce0d582f387
                                                                                                                    • Instruction Fuzzy Hash: DDF02210A1DD261FFA64716A644D7FA2FC0EF893AAF09013BE00CC1282DF5D28868349
                                                                                                                    Function 00007FF848991241 Relevance: .0, Instructions: 46COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7ea5a1c6c2fa86a320d8c11b9334a8937c4b6e5d2b691a7978310d2b105d5ea6
                                                                                                                    • Instruction ID: 4395a0af508200b1753acfa0194565fc114ec83b6eb8742fac8749b02e0f6554
                                                                                                                    • Opcode Fuzzy Hash: 7ea5a1c6c2fa86a320d8c11b9334a8937c4b6e5d2b691a7978310d2b105d5ea6
                                                                                                                    • Instruction Fuzzy Hash: 7EF0BB3270CD1A4FEB44B51CB88657837D0FB55335B10017AD54EC76E2DA5A98438649
                                                                                                                    Function 00007FF84897D2D0 Relevance: .0, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5f98e1670b5c5eaf8c909c429d2783f54f34816d0e0692f90274ed8b5adc9489
                                                                                                                    • Instruction ID: ef485ae93fb7f0052f60797038f198054f47a1a50d4c4faa157b2400509cbf4b
                                                                                                                    • Opcode Fuzzy Hash: 5f98e1670b5c5eaf8c909c429d2783f54f34816d0e0692f90274ed8b5adc9489
                                                                                                                    • Instruction Fuzzy Hash: DAF02431A1DD4D6FEB94A11898187767BC5EBD5362F1401BAE849D7291CE37E8018391
                                                                                                                    Function 00007FF848974B89 Relevance: .0, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8c963cb188a5e9f4c6331a7df418a2b44c46e6a95688d9ba4cade89cf6f8c6f8
                                                                                                                    • Instruction ID: a2d8da4d1f1adc626435541200cdb2e6ac0873516b06f08ede9732f3fda291d9
                                                                                                                    • Opcode Fuzzy Hash: 8c963cb188a5e9f4c6331a7df418a2b44c46e6a95688d9ba4cade89cf6f8c6f8
                                                                                                                    • Instruction Fuzzy Hash: B601213090CA89AFE742EB2888582EC7FF0EF46251F0501F3C508C70A3DB281D49C355
                                                                                                                    Function 00007FF848979CF0 Relevance: .0, Instructions: 42COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 20664d8cf9d0a0e0404358ccc8e1f4c1fe5a66449176149e18c3f0157a91f097
                                                                                                                    • Instruction ID: 07f6fe853b484662e3184fee19ae99191c5daeb69bfaca3521623ae173537f50
                                                                                                                    • Opcode Fuzzy Hash: 20664d8cf9d0a0e0404358ccc8e1f4c1fe5a66449176149e18c3f0157a91f097
                                                                                                                    • Instruction Fuzzy Hash: 6AF0F612B0DA954FD326B77DBD970E4BFD0DB82161B0851BBC004C6193D90955868386
                                                                                                                    Function 00007FF848984121 Relevance: .0, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8bbba65a89f77509c3267e0e7d7bbf2e367a7a4e71f2c6a5955ca7ae0b7837fb
                                                                                                                    • Instruction ID: a31fe859149d2714d488eba5ee61b190eca7798b30fce84e5832c60d1c946c73
                                                                                                                    • Opcode Fuzzy Hash: 8bbba65a89f77509c3267e0e7d7bbf2e367a7a4e71f2c6a5955ca7ae0b7837fb
                                                                                                                    • Instruction Fuzzy Hash: 64F0F62191CBCA1FD766963894543E67FA0FF92240F0002F7D04CD7182EF281A4A8781
                                                                                                                    Function 00007FF848994A43 Relevance: .0, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f6ed1395b09caaa094c70cfe9a1dc8660f85a33039d6ab9de885da4a9795d0a0
                                                                                                                    • Instruction ID: 5776c686d08333e4e6bdc2315c510bbcdb67733556087225dcb5d8b999b3a06c
                                                                                                                    • Opcode Fuzzy Hash: f6ed1395b09caaa094c70cfe9a1dc8660f85a33039d6ab9de885da4a9795d0a0
                                                                                                                    • Instruction Fuzzy Hash: 0DF0DA71A2CB088F9F44AE0CBC434A97BD0EB88B65F10116BF94943201D721B8528AC7
                                                                                                                    Function 00007FF848980B02 Relevance: .0, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 13bcaca35d4acdc32c75a5d81eb336d0b80738473d176e00d152b353309aa91f
                                                                                                                    • Instruction ID: d8e9a521f34db9cc03dcf9436bb549685c747a0122a86cd33ce09c814a3d95e8
                                                                                                                    • Opcode Fuzzy Hash: 13bcaca35d4acdc32c75a5d81eb336d0b80738473d176e00d152b353309aa91f
                                                                                                                    • Instruction Fuzzy Hash: A9F02D2051DECB1FE72AB73C94185A07FE0EF45355F0C01F6D448CB193DA28A894C755
                                                                                                                    Function 00007FF848979E95 Relevance: .0, Instructions: 41COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: eef9dd2721f30ee3fd6983efd0d7c1bc4a3f2f0f3f753ace7689d01f54525f1e
                                                                                                                    • Instruction ID: 3752c9d9de4e74b8c25e56808de77c1c3546f494d607c443d172bfc6eba5e2ab
                                                                                                                    • Opcode Fuzzy Hash: eef9dd2721f30ee3fd6983efd0d7c1bc4a3f2f0f3f753ace7689d01f54525f1e
                                                                                                                    • Instruction Fuzzy Hash: 04F08251E0ED9A4FE257A22C28692B81FD1DFD5561B4C01FBD448C7297EE4C58934386
                                                                                                                    Function 00007FF8489899E8 Relevance: .0, Instructions: 40COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0776cae5edb58b3ff680ee9feaf8b9de0c1b02fb834b418d770d72b61fda5a1c
                                                                                                                    • Instruction ID: 2b26a88f086e7af8ea86403fbcd1b59d3a38374a0e2eb5a961c9ba476a8eaedc
                                                                                                                    • Opcode Fuzzy Hash: 0776cae5edb58b3ff680ee9feaf8b9de0c1b02fb834b418d770d72b61fda5a1c
                                                                                                                    • Instruction Fuzzy Hash: 56F0C221D1CD064FF260AA1894446B6BBD2EF81381F6941B6D40DD319ADF3AAC8252C8
                                                                                                                    Function 00007FF8489993F3 Relevance: .0, Instructions: 40COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7b1f0b71aba41ebf27cfaa469a89d09a1a8a1d283e1cd7f930f0045f5a0e39ef
                                                                                                                    • Instruction ID: cce1634ea59b08efbb6bbafbec5766b2385b9325a6c000a5c5066fc49863dc4b
                                                                                                                    • Opcode Fuzzy Hash: 7b1f0b71aba41ebf27cfaa469a89d09a1a8a1d283e1cd7f930f0045f5a0e39ef
                                                                                                                    • Instruction Fuzzy Hash: 36F0A772B2CE1D4FE159BA1C24031BC77C1EB895A5B10446FD08FC3647DE15680B4385
                                                                                                                    Function 00007FF848974B1D Relevance: .0, Instructions: 40COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 388a3d3d729a14a6a8c22fe7d76741be50e53e967f0963907c7e0cdf9c02a6d1
                                                                                                                    • Instruction ID: b189013ad5cb73e0c7611412dcf795b1fe34c2e238aa8b341b525fbe2075dafb
                                                                                                                    • Opcode Fuzzy Hash: 388a3d3d729a14a6a8c22fe7d76741be50e53e967f0963907c7e0cdf9c02a6d1
                                                                                                                    • Instruction Fuzzy Hash: 64018B3090DA898FDB44EE2898552E97BA1FF95341F15057AE40CC7282DB79A961C780
                                                                                                                    Function 00007FF848994A7D Relevance: .0, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6c6a1f63ae36d4b67d5e0e77ace6ee40f99497eda2bdff891cc4892b2260bd7d
                                                                                                                    • Instruction ID: b45d66c8c02de67eef63e4d005d892b7517e21e3da7663e238a7f6c7879c409c
                                                                                                                    • Opcode Fuzzy Hash: 6c6a1f63ae36d4b67d5e0e77ace6ee40f99497eda2bdff891cc4892b2260bd7d
                                                                                                                    • Instruction Fuzzy Hash: EDE06D72A2CB048F9B08AE0CB8030FD77D0EB89675F00026FE54A93651DB22B41246CB
                                                                                                                    Function 00007FF848978CE8 Relevance: .0, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 34951671e0dd713b7bfafcb877207e245762a143dc08ead8dc5c39ed4bbf4266
                                                                                                                    • Instruction ID: dd1b6acb4af463eea3ae3902f8528b819f0cf14f86235e3a9493b149fefa8645
                                                                                                                    • Opcode Fuzzy Hash: 34951671e0dd713b7bfafcb877207e245762a143dc08ead8dc5c39ed4bbf4266
                                                                                                                    • Instruction Fuzzy Hash: 0CF0A930C49A0DCFCB14AEA4A4043FCB6B4FB0A306F402239D00CF2580D3BA9A96CB18
                                                                                                                    Function 00007FF848982DE8 Relevance: .0, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: df0f177b0c9697c498d66e2fae87a3b4912edfa4728cf53e9d3bfe58672d2c3d
                                                                                                                    • Instruction ID: 5dc8b260064a5f629ff69ecf6ec638ecb545a2f1c97e5f74c064c4479beae154
                                                                                                                    • Opcode Fuzzy Hash: df0f177b0c9697c498d66e2fae87a3b4912edfa4728cf53e9d3bfe58672d2c3d
                                                                                                                    • Instruction Fuzzy Hash: BDF0EC31E2CD1F1FD998F62C50987FE27D1EB94751F44003AD44EC3186DE5DA8854384
                                                                                                                    Function 00007FF848978691 Relevance: .0, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a26159aaf74294c7643fe9e4aa9c9948242d7505f1e30b4d7a3298cd685a66e5
                                                                                                                    • Instruction ID: 7bbb81f8ea30d22f3beb7e9f3f1bc23bffa59fbe499df67595b5a51eba76524c
                                                                                                                    • Opcode Fuzzy Hash: a26159aaf74294c7643fe9e4aa9c9948242d7505f1e30b4d7a3298cd685a66e5
                                                                                                                    • Instruction Fuzzy Hash: 7EF03031C49A0DDFC714AE55E4483FDB6B4FB4A346F402539D01CA2181D7BA9695DB48
                                                                                                                    Function 00007FF84898FC51 Relevance: .0, Instructions: 32COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 87b274870ccc64b07e8dacfa8d8c39b99aef103c19e3d6eaa1b11d35dec00427
                                                                                                                    • Instruction ID: ae847d8b56e29466b7ce67fdb854299af8cf1ae07ead47c7d02a2c0bd0bc5e56
                                                                                                                    • Opcode Fuzzy Hash: 87b274870ccc64b07e8dacfa8d8c39b99aef103c19e3d6eaa1b11d35dec00427
                                                                                                                    • Instruction Fuzzy Hash: 41E04F32B0D9098F9B98D9AC78461FAB7D2E798126B14437FD14FC3646CE2588168384
                                                                                                                    Function 00007FF84897BC4A Relevance: .0, Instructions: 31COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b4190d1b7896c953fdc1aa9f5b43577caa7e002d88fff42f5863ff6cd3671cad
                                                                                                                    • Instruction ID: f0383c06200566081840438b1a0b0e21fa0f392f8b1fa6d2c0477ddd719536bd
                                                                                                                    • Opcode Fuzzy Hash: b4190d1b7896c953fdc1aa9f5b43577caa7e002d88fff42f5863ff6cd3671cad
                                                                                                                    • Instruction Fuzzy Hash: B3F05474E1490AEFE748FA589899AAC77F1FF98B51F444030D049E3292CF2D68428711
                                                                                                                    Function 00007FF84898AB4F Relevance: .0, Instructions: 30COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8e6110c2c3c1764d9614c880db4ea69dd0c1702c48077c2c48429997c4248b7e
                                                                                                                    • Instruction ID: 7e8340c55e74d87c06ab39d8a71f6eee991f4088775209d5d969d77d448c1fa8
                                                                                                                    • Opcode Fuzzy Hash: 8e6110c2c3c1764d9614c880db4ea69dd0c1702c48077c2c48429997c4248b7e
                                                                                                                    • Instruction Fuzzy Hash: ACF0E531C5D98E5EEB54BF2884482BCBFE0EF47381F10107AD40DC20D2DF6459948287
                                                                                                                    Function 00007FF848993B99 Relevance: .0, Instructions: 26COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8c700a9ce90d84ab34d6fcd11e90c13c8f3462a7889c9b716c043e91c44dffe9
                                                                                                                    • Instruction ID: ac81d71d44a482485272cd0a9ff198c7f8eeec19d277b4a2a3b0f08db1973a41
                                                                                                                    • Opcode Fuzzy Hash: 8c700a9ce90d84ab34d6fcd11e90c13c8f3462a7889c9b716c043e91c44dffe9
                                                                                                                    • Instruction Fuzzy Hash: C9E0D83270CC064FE718BA18A8986F53352EB85365F105A3BD806C63E4DE69E4419344
                                                                                                                    Function 00007FF84899398B Relevance: .0, Instructions: 25COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1d6026155ff842a96b3bd8194251a23930f81c307d4ab7cdfe691dfa2b99c2ae
                                                                                                                    • Instruction ID: f26f131055e26c562dcb85b3f338f92a7493b1415214eea1fa2436f8a42a899b
                                                                                                                    • Opcode Fuzzy Hash: 1d6026155ff842a96b3bd8194251a23930f81c307d4ab7cdfe691dfa2b99c2ae
                                                                                                                    • Instruction Fuzzy Hash: 08E046303089188FD6A0DF1CE484BA873E1FF48351F5100AAE08ACB275CA28DCC19B40
                                                                                                                    Function 00007FF84898EE10 Relevance: .0, Instructions: 23COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7e39dbe6f59e03a6442d0de60875bea22263a7be6a71c2ee55b65cd1d57c1c84
                                                                                                                    • Instruction ID: 642828319a3937cf165d0d5398892b37fe6167c680a252736209722774ea1860
                                                                                                                    • Opcode Fuzzy Hash: 7e39dbe6f59e03a6442d0de60875bea22263a7be6a71c2ee55b65cd1d57c1c84
                                                                                                                    • Instruction Fuzzy Hash: EAE0C210D5ED4B0FED85B65D49945253FD09F1A3C0F8C00A1E80CCB2C3E64DA984836A
                                                                                                                    Function 00007FF848984190 Relevance: .0, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0a0069427800180b3edc248efa8e469e1a26199a02c6344ae71fcc36f58ae54f
                                                                                                                    • Instruction ID: a7831da0378236c6318ef4b10b0bad223eb3e35761b1a988cceefb544c9487c9
                                                                                                                    • Opcode Fuzzy Hash: 0a0069427800180b3edc248efa8e469e1a26199a02c6344ae71fcc36f58ae54f
                                                                                                                    • Instruction Fuzzy Hash: BCE01A70E2881A8EE768EB68C8483BCA7B0FF54341F00017AC00DD3282CE3458028B00
                                                                                                                    Function 00007FF8489899D3 Relevance: .0, Instructions: 17COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c646c19507ba3af918c77920c29560d18ecb00abf26596d3a501786234b54869
                                                                                                                    • Instruction ID: 80cba40b39f1e347c1fddf41aff8b684b4f1b6bbd5abd80e6af7eb567ecef9e4
                                                                                                                    • Opcode Fuzzy Hash: c646c19507ba3af918c77920c29560d18ecb00abf26596d3a501786234b54869
                                                                                                                    • Instruction Fuzzy Hash: 6AD0122674D46A0AE556661EB8D00D9FF50E9C1279BC807FBC6D4C010AF50605E742C1
                                                                                                                    Function 00007FF848982993 Relevance: .0, Instructions: 15COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bd1a696f20159776b34c1656f1cd6cef3add8fedc4c0fcec9f268314073e592c
                                                                                                                    • Instruction ID: 126296cd60178490cdf320f22e71f144ff382ea2c9dfa3ac6c6351ff7873f961
                                                                                                                    • Opcode Fuzzy Hash: bd1a696f20159776b34c1656f1cd6cef3add8fedc4c0fcec9f268314073e592c
                                                                                                                    • Instruction Fuzzy Hash: 5AD05E3010A2404FCB58AE28A080880B7A0EF1220435509E8E0044B1A7C52ADC82CF45
                                                                                                                    Function 00007FF848991B4D Relevance: .0, Instructions: 10COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.2609487606.00007FF848970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848970000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff848970000_AteraAgent.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f32a2d266abb9d94097856dfa678621ca1e67ffe2baa10a0c331afc70926c68a
                                                                                                                    • Instruction ID: aea6556e27d43b4c748802167e5c087c6dcd8e4f0bf6e0547ce203f8b25022dc
                                                                                                                    • Opcode Fuzzy Hash: f32a2d266abb9d94097856dfa678621ca1e67ffe2baa10a0c331afc70926c68a
                                                                                                                    • Instruction Fuzzy Hash: 9EB09B62E08D495FD594961C100836157C3F7D4551B050156C049C324DDFA454430205